Permalink
Commits on Aug 15, 2016
Commits on Jun 12, 2016
  1. Fix intermittent "error 2300 token not found"

    In some rare cases, collapse_cache_token() would attempt to touch a
    token that does not exist. This can happen when the current user does
    not have any TOKEN_COLLAPSE token, and the MANTIS_collapse_cookie
    contains a non-empty value that does not form a valid, colon-delimited
    pair.
    
    The issue has been addressed by adding a token_exists() check prior to
    calling token_touch().
    
    Fixes #21068
    dregad committed Jun 11, 2016
Commits on Jun 6, 2016
  1. Fix XSS in custom fields management

    Kacper Szurek (http://security.szurek.pl/) discovered an XSS
    vulnerability in Custom fields management pages, caused by unescaped
    output of 'return URL' GPC parameter. His report describes two ways to
    exploit this issue:
    
    1. using 'accesskey' inside hidden input field (see [1]) reflects XSS to
       the administrator in manage_custom_field_edit_page.php when the
       keyboard shortcut is actioned
    2. using 'javascript:' URI scheme executes the code when the user clicks
       the [Proceed] link on manage_custom_field_update.php after updating
       a custom field
    
    This commit fixes both attack vectors:
    
    - properly escape the return URL prior to printing it on the hidden form
      field
    - let html_operation_successful() sanitize the URL before displaying
      it, just like html_meta_redirect() does. In this case, if the
      string contains an URI scheme, it will be replaced by 'index.php'
    
    [1] http://blog.portswigger.net/2015/11/xss-in-hidden-input-fields.html
    
    Fixes #20956
    
    This is a backport from master 3f2779b4c6dc8d465fb73c08cfa1d806184d2e79.
    dregad committed Jun 6, 2016
Commits on May 16, 2016
  1. Correct variable name in admin guide

    Fixes #20915
    atrol committed May 16, 2016
Commits on May 12, 2016
  1. Fix token_touch() call in collapse_cache_token()

    token_touch() requires a token ID, but we give it a TOKEN_COLLAPSE token
    type instead, so collapse_cache_token() always tries to update token # 5
    rather than the user's token.
    
    Fixes #20824
    
    Backported from master fd47e9c.
    Conflicts:
    	core/collapse_api.php
    dregad committed Apr 18, 2016
  2. Use ':' as separator in collapse_settings cookie

    Previously we were using a comma, which is not a valid character in a
    cookie (per RFC6265 section 4.1.1 [1]).
    
    Fixes #20822
    
    [1] http://tools.ietf.org/html/rfc6265#section-4.2.1 [^]
    
    Backported from master e3956c2
    Conflicts:
    	js/common.js
    dregad committed Apr 18, 2016
Commits on May 1, 2016
  1. PHP7: Remove old-style constructors

    One function was omitted from a9731e9.
    
    Fixes #20501
    dregad committed May 1, 2016
Commits on Apr 30, 2016
  1. Require user pref API in lang API

    If the user pref API has not yet been loaded and an error is triggered,
    then the error API is not able to retrieve the error message because
    language API cannot get the user's preferred language.
    
    Fixes #20864
    dregad committed Apr 30, 2016
Commits on Mar 27, 2016
  1. Status legend doesn't show final workflow states

    The patch for issue #11553 did not properly fix the problem, as the code
    only checked for the workflow allowing to leave a state.
    
    We now also cover the case of entering the state.
    
    Fixes #20746
    dregad committed Mar 24, 2016
Commits on Mar 22, 2016
  1. Fix typos in developers guide

    Fixes #20743
    atrol committed Mar 22, 2016
Commits on Mar 1, 2016
Commits on Jan 14, 2016
  1. Do not fetch column twice in the same query

    Doing so with mssqlnative driver triggers a PHP NOTICE in ADOdb library,
    likely due to the use of associative fetch mode.
    
    Fixes #20513
    dregad committed Jan 14, 2016
Commits on Jan 11, 2016
  1. PHP7: Remove old-style constructors

    PHP4-style constructors are deprecated in PHP7.
    
    Fixes #20501
    dregad committed Jan 11, 2016
Commits on Jan 2, 2016
  1. Travis: squelch PHP built-in server's output

    Improves readability of the build's log by removing unnecessary noise.
    dregad committed Dec 23, 2015
Commits on Dec 23, 2015
Commits on Dec 14, 2015
  1. Revert "Travis: fix PHP 5.5 builds"

    This reverts commit 170c821.
    
    The Travis team fixed the PHPUnit version issue.
    dregad committed Dec 14, 2015
Commits on Dec 8, 2015
  1. Revert "Problems if the json-message contains special characters [...]"

    This reverts commit 031afb6.
    
    As per the JSON specification in RFC 7159 section 8.1, "JSON text
    SHALL be encoded in UTF-8, UTF-16, or UTF-32". [1]
    
    It is therefore incorrect to apply utf8_encode() function to the data
    received from the server since it is already in Unicode by definition.
    
    Fixes #20350
    
    [1] https://tools.ietf.org/html/rfc7159#section-8.1
    
    Conflicts:
            library/adodb
            library/phpmailer
    dregad committed Dec 8, 2015
  2. access_denied() now proceeds to default_home_page

    Prior to this, it was redirecting to 'main_page.php'.
    
    Fixes #20364
    dregad committed Dec 8, 2015
Commits on Dec 7, 2015
  1. Travis: fix PHP 5.5 builds

    Travis PHP 5.5 builds are currently failing due to their using PHPUnit
    5.x, which does not support PHP 5.5.
    
    As a workaround, we manually install PHPUnit 4.x.
    
    Fixes #20353
    dregad committed Dec 7, 2015
Commits on Dec 6, 2015
  1. Fix 2-byte attachment saved to DB when upload_method is DISK

    Commit 4f4e69b changed file_add() to
    use bind parameters, but failed to remove quotes escaping of $c_content
    variable.
    
    This results in an invalid 2-byte attachment (containing 2 single
    quotes "''") being stored in the file table in addition to the one saved
    to disk as expected, which does not actually have any impact unless the
    admin tries to move attachments from DB to disk; in that case, the valid
    files are overwritten, causing loss of data.
    
    The problem is fixed by setting $c_content to an empty string.
    
    Previously fixed in master branch commit
    02bbb99
    
    Fixes #20340
    dregad committed Dec 6, 2015
Commits on Oct 31, 2015
  1. Remove reference to mantisbt-announce

    Remove reference to mantisbt-announce and mention that announcements will be sent to
    users registered on our official bugtracker.
    
    Fixes #19378
    vboctor committed Oct 31, 2015
Commits on Oct 25, 2015
  1. Documentation and code clean up for plugin events

    After my question in issue #20183, here is some clean up for the events
    documentation:
    
    - Added doc for missing parameters:
      - EVENT_LOG
      - EVENT_DISPLAY_FORMATTED
      - EVENT_MENU_ISSUE
      - EVENT_VIEW_BUG_ATTACHMENT
      - EVENT_MANAGE_OVERVIEW_INFO
    - Missing documentation for event EVENT_DISPLAY_EMAIL_BUILD_SUBJECT
    - Code clean up on usage of events:
      - EVENT_UPDATE_BUG_FORM
      - EVENT_UPDATE_BUG_FORM_TOP
    - Change comments to reflect actual types for function event_type_chain()
    - Apply consistent formating to documentation
    
    Backported from master 9fcdd06
    dregad committed Oct 24, 2015
  2. Fix docbook build error

    dregad committed Oct 25, 2015
  3. Documentation. Format consistency

    cproensa committed with dregad Oct 22, 2015
  4. Change comments for method types

    Parameters are not always String, e.g. EVENT_UPDATE_BUG_DATA
    
    Backport from ac63e6b
    Conflicts:
    	core/event_api.php
    dregad committed Oct 24, 2015
  5. Remove unused parameter in event calls

    Undocumented and no longer needed.
    Should have been removed by issue #10890
    
    This is a manual backport from bc61326
    dregad committed Oct 24, 2015
  6. Documentation for plugin events. Missing parameters

    Backport from b771d8a
    Conflicts:
    	docbook/developers/en/event-reference-output.sgml
    cproensa committed with dregad Oct 22, 2015
Commits on Sep 16, 2015
  1. Doc: update obsolete $g_allow_bug_delete_access_level

    This config option has been replaced by $g_delete_bug_threshold in 2003
    (see dea2c10 and
    c68711c).
    
    Fixes #20116
    dregad committed Sep 16, 2015
Commits on Aug 20, 2015
  1. Set bug attachment ownership when copying them

    file_copy_attachments() did not set user_id when inserting the new
    attachment, resulting in that field being set to 0.
    
    The user_id is now set to the original issue's.
    
    Fixes #20018
    
    Backport from master 8392a9b.
    dregad committed Aug 13, 2015
Commits on Aug 18, 2015
  1. Check tag existence when filtering

    Fixes #20041
    atrol committed Aug 18, 2015
Commits on Jun 24, 2015
  1. Change default threshold to view project doc to VIEWER

    Previously it was ANYBODY, which would let any user download files from
    any project including private ones, even when they are not part of the
    team.
    
    Backport from a4be76d
    
    Fixes #19873
    dregad committed Jun 24, 2015
  2. Trigger generic error when downloading non-existent attachment

    This prevents PHP warnings and notices as the code attempts to process
    an empty result set from the query.
    
    Backport from b96e49d
    
    Fixes #19879
    dregad committed Jun 24, 2015