Permalink
Commits on Sep 5, 2011
  1. Fix #12361: Private bug visibility leak in my_view/view_all_bug_page

    In the My View / View Issues screens, private bugs in public projects
    (and probably private projects too) appear to ignore the
    private_bug_threshold value of their project unless you select it. When
    some projects have tighter security on viewing private bugs than others,
    this creates a situation where a user who should not be able to see a
    bug can still discover its existence in My View and View Issues. Viewing
    it fails with 'access denied', but if the summary had confidential
    information in it then the security leak has already happened.
    
    I don't consider giving All Projects the tighter security to be a usable
    workaround, because then you can't find bugs in the projects that use
    normal security for private bugs, until you select one of them, but then
    you can only see the subproject hierarchy you just went into.
    
    Steps to reproduce:
    ------
    On a fresh 1.2.2 install try this:
    
    Create a public project.
    In the project, edit thresholds so that you need manager to view private
    bugs.
    Submit a private bug to that project.
    
    Login as a different user with global access of developer. View All
    Projects.
    
    You can see the bug in MyView / ViewIssues but then when you click on it
    you get an Access Denied screen. If you select the bug's project, then
    it correctly disappears.
    ------
    
    Signed-off-by: David Hicks <d@hx.id.au>
    Todd Whitesel committed with davidhicks Sep 5, 2011
  2. Fix #13140: Incorrect permissions check during bug reporting and cloning

    Todd Whitesel reported an issue with incorrect permissions checks being
    performed when cloning issues. The steps to reproduce this bug were
    provided by Todd:
    
    ------
    Fresh 1.2.5 install.
    
    Create two users, a Developer and an Updater.
    Create a private project.
    (Actually create a couple more projects so you can see the project
    selector.)
    Add both users to the private project AS MANAGERS.
    Login as Developer, select the private project, and create an issue.
    Login as Updater, select All Projects, and attempt to clone that issue.
    It fails with ACCESS DENIED error #13. Also note that your access level
    was Manager while editing the cloned issue, but in the error screen your
    access level is back to your global access of Updater.
    
    As Updater, Select the private project, create an issue. Then select All
    Projects, and attempt to clone that issue. It succeeds, apparently
    because you are cloning your own issue.
    
    Create a public project and attach the private project as a subproject
    of it. Retry the above cloning tests with the public parent project
    instead of All Projects -- the results are the same whether you select
    All Projects or the parent project.
    ------
    
    The problem was that the current project (from the project selector
    dropdown) was used as the basis for config_get calls, thus leading to
    incorrect permissions and settings being used within bug_report.php. We
    need to instead switch (temporarily) the current project to either the
    master issue (when cloning) or the specified project_id (when creating a
    new issue via bug_report_page.php).
    
    Thanks again to Todd for the discovery and debugging of this problem, the
    detailed bug report and initial patch (that has been extended to resolve
    the second project_id issue from bug_report_page.php).
    
    Conflicts:
    	bug_report.php
    davidhicks committed Sep 5, 2011
  3. Fix #13141: Incorrect parameters to config_get function

    Thanks to Todd Whitesel for finding this problem in filter_api.php and
    to Roland Becker for providing further assistance.
    
    I have grepped the source code and reviewed all other calls to
    config_get to ensure they correctly use parameters. There was one
    additional bug discovered in bug_report_page.php.
    
    Conflicts:
    	bug_report_page.php
    davidhicks committed Sep 5, 2011
Commits on Sep 4, 2011
  1. Allow more control over the excel api's output

    The following changes have been made:
    
    - allow declaration of Spreadsheet styles to control the appearance of
      rows and cells
    - allow setting of attributes on individual cells
    
    The actual output of the excel export is unchanged.
    
    The API changes are completely backwards compatible.
    
    Fixes #13290: Allow more control over excel export format
    rombert committed Sep 4, 2011
  2. Using just script_name is OK, but it's feasible that SCRIPT_NAME isn'…

    …t set - this is more common in (badly configured?) nginx servers
    grangeway committed Sep 4, 2011
  3. Remove unreachable code branch in config_defaults_inc.php

    Commit 57c9448 introduced an
    unreachable code branch that has no effect. Removed.
    
    The functionality will likely need to be rechecked by Paul/John to see
    whether we do want to use PHP_SELF.
    davidhicks committed Sep 4, 2011
Commits on Aug 29, 2011
  1. Project override should only apply if $p_project hasn't been explicit…

    …y set.
    
    For the most part, we use config_get(var) to get information for the current project [or overriden project]
    
    If we are explicity passing in a project ID, we should use this ID instead, and not override.
    grangeway committed Aug 29, 2011
  2. Fix issue introduced previously whereby php_Self is now used unchecked.

    introduced previously by john attempting to fix symlinks. Since we now use php 5.2, we can make use of filter_var.
    
    This is a simpler version of what we were trying to do previously aka http://git.mantisforge.org/w/mantisbt.git?a=commitdiff;h=5ac1fdf32717d0c82cca7e7660dd4fd316a6a1b8
    
    Depending on server/mantis config this can lead to XSS issues
    grangeway committed Aug 29, 2011
  3. Rework the bug action group api such that we can easily convert this …

    …to an object in the future, and to validate calls to require once.
    
    This leads to a security issue identified by IBM's Appscan program, whereby calls to require_once are not validated.
    Depending on webserver configuration, this is a file inclusion vulnerability.
    
    There will be a follow up commit to config api - probably:
    -		if( $g_project_override != null ) {
    +		if( $g_project_override != null && $p_project == null ) {
    
    At the moment, the action group API calls config_get with a project parameter to use. This is ignored, due to project_override being set - so we either need to:
    a) change project override within the command list function
    b) modifify config api to only use the project override *if* it is attempting to look up information on the default project.
    grangeway committed Aug 29, 2011
  4. Remove accidental commit of config_inc.php

    The file "12x" was accidentally committed by Damien in commit
    bcfdfff. Deleted.
    davidhicks committed Aug 20, 2011
Commits on Aug 18, 2011
  1. Fix #13245: XSS issues with search.php parameters

    Net.Edit0r (Net.Edit0r@Att.net) from BlACK Hat Group
    [http://black-hg.org] posted a vulnerability report for an XSS issue in
    search.php for MantisBT 1.2.6.
    
    The full report is available at
    http://packetstormsecurity.org/files/104149
    
    filter_api.php is the culprit for this vulnerability as it passes user
    supplied search parameters back into output without first escaping the
    values.
    
    It should be noted that numerous other XSS vulnerabilities (all related)
    have been fixed with this patch. In other words, it is not just the
    project_id parameter to search.php that was affected - it was numerous
    other parameters/fields as well.
    
    The second SQL injection vulnerability identified by Net.Edit0r is
    invalid because the only time we ever make reference to "mbadmin" in the
    source code is:
    
    core.php:
    if ( file_exists( 'mantis_offline.php' ) && !isset( $_GET['mbadmin'] ) )
    
    This usage is safe because nothing is ever done with $_GET['mbadmin'].
    It may be the case that the user's customised version of
    mantis_offline.php was incorrectly dumping the value of $_GET['mbadmin']
    to the screen. The default/sample mantis_offline.php has been checked
    and does not print any dynamically created strings/user supplied values.
    
    Conflicts:
    	core/filter_api.php
    davidhicks committed Aug 18, 2011
Commits on Aug 16, 2011
  1. Merge pull request #10 from MarcinKleczek/master

    Replace require_once call with require_api in bug_actiongroup.php
    davidhicks committed Aug 16, 2011
Commits on Aug 15, 2011
  1. Changed require_once to required_api for bug_api.php

    Marcin Kłeczek committed Aug 15, 2011
Commits on Aug 10, 2011
  1. Fix #13228: SQL error in bugnote_api.php with PostgreSQL

    ERROR: column "u.realname" must appear in the GROUP BY clause or be used in an
    aggregate function
    
    Bug was introduced in release 1.2.6, commit c4c0a01.
    A new column was added to 2 SQL statements' SELECT clause, but the GROUP BY
    was not updated to match.
    
    This passed testing, as MySQL is more (too?) permissive and allows the SELECT
    clause to refer to ungrouped columns that are not in aggregate functions.
    
    This commit also removes unnecessary "u.id" column from the group by clause.
    dregad committed Aug 10, 2011
Commits on Aug 9, 2011
  1. Fix #13226: Installation check should verify that default file upload…

    … path has trailing /
    
    Add config option absolute_path_default_upload_folder to the list of paths to
    validate in check_paths_inc.php
    dregad committed Aug 9, 2011
  2. Fix #13225: Inconsistent handling of project file upload path

    Create a new function in project api to handle the file path validation and
    move the code comparing project file path check vs default path currently in
    manage_proj_create.php into the new function.
    
    The function is called from both project_create and project_update to ensure
    consistent behavior.
    dregad committed Aug 9, 2011
Commits on Aug 5, 2011
  1. Fixes #13190: View page doesn't honor view_handler_threshold threshold.

    - Follow fix to add missing parameter in API call.
    vboctor committed Aug 5, 2011
Commits on Jul 31, 2011
  1. Fix #13193 : Files served by plugins do not have a Content-Type heade…

    …r set
    
    Conflicts:
    	config_defaults_inc.php
    rombert committed Jul 31, 2011
  2. Fixes #13190: View page doesn't honor view_handler_threshold threshold.

    The issue handler shows up in the following areas:
    - The 'assigned to' field.
    - The issue history.
    vboctor committed Jul 31, 2011
Commits on Jul 28, 2011
  1. 12759: Error loading language string when plugin is not current

    Signed-off-by: Damien Regad <damien.regad@merckgroup.com>
    sveyret committed with dregad Feb 10, 2011
Commits on Jul 26, 2011
  1. Bug cloning: allow copying of notes and attachments from parent bug

    Fixes #13167 : Clone task: allow copying of notes
    Fixes #10367 : Moving attachments while cloning issue
    rombert committed Jul 24, 2011
  2. Extract attachment copy logic into file_copy_attachments

    Affects #13166 : Clone task: allow copying of attachments
    rombert committed Jul 21, 2011
  3. Bugnote API: allow skipping of history event logging when adding notes

    Affects #13167: Clone task: allow copying of notes
    rombert committed Jul 21, 2011
  4. Fix #11282: Oracle error ORA-00918 column ambiguously defined

    Filter API does a SELECT DISTINCT $t_bug_table.*; before this patch the fields
    list also included 2 additional columns; MySQL had no problem with that, but
    Oracle gave the above-mentioned error.
    dregad committed Jul 26, 2011
Commits on Jul 25, 2011
  1. Fix #13171: Resetting columns config in My Account asks for reauthent…

    …ication
    
    Since this is an end-user function, reauthentication should not be required
    dregad committed Jul 25, 2011
  2. Complete rewrite of LDAP authentication section in Admin guide

    The information in this section did not really provide useful information to
    the administrator
    dregad committed Jul 25, 2011
  3. Documentation update following #13163

    Updated documentation about the password length limitation.
    
    Modified layout slightly and made it more obvious that some authentication
    methods are deprecated; changed some wording.
    
    Updated comment in config_defaults_inc.php about possibility
    to change $g_login_method at will, to reflect documentation
    (and reality).
    dregad committed Jul 25, 2011
  4. Renaming the db field length constants

    USERLEN ==> DB_FIELD_SIZE_USERNAME
    REALLEN ==> DB_FIELD_SIZE_REALNAME
    PASSLEN ==> DB_FIELD_SIZE_PASSWORD
    dregad committed Jul 25, 2011
  5. Fix #13163: Remove limitation on password length with MD5 authentication

    A new function auth_get_password_max_size was added in authentication_api.php,
    to return the maximum length of the password, taking the login method into
    consideration: limited to the database field size (PASSLEN) for PLAIN and
    BASIC_AUTH, or to new constant MAX_PASSWORD_SIZE for other, hash-based methods.
    
    The return value is used to define the maxlength attribute of all the password
    fields.
    
    This commit is a manual port to master of the changes in commits 4664aeb,
    9c7fffb, 5d527ef and b2c1c1e
    dregad committed Jul 21, 2011
Commits on Jul 22, 2011
  1. Fix #13168: wide legend causes resized issue boxes to shift off-screen

    When many status are defined in Mantis, the legend box becomes very wide, which
    causes the issue boxes in my_view_page.php to become much wider and be shifted
    off-screen to the right.
    
    This commit moves the display of the legend box outside of the main table to
    avoid the problem
    dregad committed Jul 22, 2011
Commits on Jul 19, 2011
  1. Remove old comment regarding a bug fixed in jQuery 1.6

    The .prop() method in jQuery 1.6 solves an issue that MantisBT used to
    face with checkboxes when the MIME type was application/xhtml+xml.
    
    See http://bugs.jquery.com/ticket/4283 for more information.
    davidhicks committed Jul 19, 2011