Changesets: MantisBT
|
master-2.28 9e8409cd 2026-05-06 19:27 Details Diff |
Merge branch 'sec-37011-xss_font_family' into release/2.28.2 | ||
| mod - account_prefs_update.php | Diff File | ||
| mod - core/helper_api.php | Diff File | ||
| mod - core/layout_api.php | Diff File | ||
| mod - core/print_api.php | Diff File | ||
| mod - login.php | Diff File | ||
| mod - login_page.php | Diff File | ||
| mod - login_password_page.php | Diff File | ||
|
master 5b9a0155 2026-05-05 11:46 Committer: community Details Diff |
Revise SECURITY.md for clarity and updates Updated security guidelines to clarify support status and reporting process. |
||
| mod - SECURITY.md | Diff File | ||
|
master 36044d26 2026-05-05 03:54 Committer: community Details Diff |
Add a cache for tokens retrieved from the database A cache of tokens retrieved from the database has been added as a new global variable, $g_cache_token. The chosen cache format simplifies the process of obtaining a token and storing it in the cache, but makes it more complicated to verify the token ID; however, in practice, this does not reduce the cache's efficiency due to the optimal order of function calls in MantisBT. In addition, the code explicitly casts token identifiers to integers throughout. Fixes 0037098, https://github.com/mantisbt/mantisbt/pull/2210 |
Affected Issues 0037098 |
|
| mod - core/tokens_api.php | Diff File | ||
| add - tests/Mantis/TokensApiTest.php | Diff File | ||
|
master 898d8680 2026-05-04 11:38 Committer: community Details Diff |
Fix debug log backtrace for Windows Absolute paths and problematic path separators have been removed, since function and file names are already sufficiently unique, and the location of MantisBT files can be changed via the configuration. The text has also been formatted consistently. Fixes 0037097, PR https://github.com/mantisbt/mantisbt/pull/2209 |
Affected Issues 0037097 |
|
| mod - core/logging_api.php | Diff File | ||
|
master f6265407 2026-05-04 08:05 translatewiki.net Details Diff |
Localisation updates from https://translatewiki.net. [skip ci] | ||
| mod - lang/strings_russian.txt | Diff File | ||
| mod - lang/strings_turkish.txt | Diff File | ||
|
master-2.28 26647b2e 2026-05-03 13:46 Details Diff |
Restrict MIME type for file downloads Until now, file_download.php was sending attachments content with a MIME type determined by PHP's Fileinfo [1]. This creates a risk of JavaScript execution bypassing the Content Security Policy. We now only set the Content-Type header for known safe types (e.g. PDF and images), all text types are forced to text/plain and the rest is sent as application/octet-stream. Includes corrections following review by vboctor. Fixes 0037016, GHSA-9c3j-xm6v-j7j3 / CVE-2026-40597 [1]: https://www.php.net/manual/en/book.fileinfo.php |
Affected Issues 0037016, 0037020 |
|
| mod - file_download.php | Diff File | ||
|
master-2.28 5cb4b469 2026-05-03 13:00 Details Diff |
Fix XSS on move_attachments_page.php Proper escaping of Project Name prevents HTML injection. Fixes 0037099, GHSA-7mqj-8gj2-cg59 |
Affected Issues 0037099 |
|
| mod - admin/move_attachments_page.php | Diff File | ||
|
master 107a02dd 2026-05-03 12:51 Details Diff |
Do not display projects without attachments Fixes 0037100 |
Affected Issues 0037100 |
|
| mod - admin/move_attachments_page.php | Diff File | ||
|
master a0d8d46a 2026-05-02 19:26 Details Diff |
Fix static analysis warnings | ||
| mod - bug_revision_view_page.php | Diff File | ||
| mod - core/access_api.php | Diff File | ||
|
master-2.28 955cb50f 2026-05-02 07:01 Details Diff |
Fix Private Bugnote Attachment Leak via SOAP API Incomplete access checks in mci_file_can_download_bug_attachments() resulted in unauthorized access to attachments. The function has been removed and replaced by calls to standard file API functions file_can_download_bug_attachments() and file_can_download_bugnote_attachments(). Fixes 0036985, GHSA-pw5x-2mf9-3xc8 / CVE-2026-42071 |
Affected Issues 0036985 |
|
| mod - api/soap/mc_file_api.php | Diff File | ||
|
master de8960cf 2026-05-02 06:53 Details Diff |
Fix PHPDoc and static analysis warnings | ||
| mod - api/soap/mc_file_api.php | Diff File | ||
| mod - api/soap/mc_issue_attachment_api.php | Diff File | ||
| mod - core/file_api.php | Diff File | ||
|
master-2.28 5b7f5bc9 2026-05-02 06:29 Details Diff |
Fix Private Bugnote Attachment Leak via REST API Add missing $p_bugnote_id argument to file_can_view_or_download() call in file_can_view_bugnote_attachments. This fixes the incorrect access check that was giving undue access to private attachments. Fixes 0036985, GHSA-pw5x-2mf9-3xc8 / CVE-2026-42071 |
Affected Issues 0036985 |
|
| mod - core/file_api.php | Diff File | ||
|
master-2.28 77d25d37 2026-05-02 06:25 Details Diff |
Add $p_bug_id parameter file_can_download_bugnote_attachments() function's callers usually already know the bug id. This avoids an unnecessary bugnote_get_field() call. Issue 0036985 |
Affected Issues 0036985 |
|
| mod - core/file_api.php | Diff File | ||
| mod - file_download.php | Diff File | ||
|
master 2aa73e38 2026-04-30 08:08 translatewiki.net Details Diff |
Localisation updates from https://translatewiki.net. [skip ci] | ||
| mod - lang/strings_belarusian_tarask.txt | Diff File | ||
| mod - lang/strings_dutch.txt | Diff File | ||
|
master b36230fd 2026-04-27 08:09 translatewiki.net Details Diff |
Localisation updates from https://translatewiki.net. [skip ci] | ||
| mod - lang/strings_korean.txt | Diff File | ||
| mod - lang/strings_russian.txt | Diff File | ||
| mod - lang/strings_swedish.txt | Diff File | ||
| mod - plugins/MantisCoreFormatting/lang/strings_swedish.txt | Diff File | ||
|
master 3250b6d3 2026-04-23 08:09 translatewiki.net Details Diff |
Localisation updates from https://translatewiki.net. [skip ci] | ||
| mod - lang/strings_belarusian_tarask.txt | Diff File | ||
|
master c7a96d3a 2026-04-23 01:35 Committer: community Details Diff |
Merge pull request #2205 from vboctor/issue37012_use_user_delete_cmd Fix REST API user self deletion + update web UI to use REST API Fixes 0037012 |
Affected Issues 0037012 |
|
| mod - account_delete.php | Diff File | ||
| mod - core/commands/UserDeleteCommand.php | Diff File | ||
| mod - tests/rest/RestUserTest.php | Diff File | ||
|
master 4127677b 2026-04-23 01:28 Committer: community Details Diff |
Merge pull request #2204 from vboctor/issue37008_summary_length Fix API error when summary is too long Fixes 0037008 |
Affected Issues 0037008 |
|
| mod - core/bug_api.php | Diff File | ||
| mod - core/constant_inc.php | Diff File | ||
| mod - tests/rest/RestIssueTest.php | Diff File | ||
| mod - tests/soap/IssueAddTest.php | Diff File | ||
| mod - tests/soap/IssueUpdateTest.php | Diff File | ||
|
master 13bfed65 2026-04-21 09:07 Committer: community Details Diff |
Remove $g_cookie_secure_flag_enabled global var With the introduction of http_is_https_protocol() function [1], this global variable is not really needed anymore, as we can simply call the function whenever we need to set a cookie's secure flag. Fixes 0037007 (PR https://github.com/mantisbt/mantisbt/pull/2202) [1]: see commit f39ad8c9816fefd36747630d25b7355265eaacc5 |
Affected Issues 0037007 |
|
| mod - core/gpc_api.php | Diff File | ||
| mod - core/session_api.php | Diff File | ||
|
master 2ec47824 2026-04-20 08:10 translatewiki.net Details Diff |
Localisation updates from https://translatewiki.net. [skip ci] | ||
| mod - plugins/MantisGraph/lang/strings_korean.txt | Diff File | ||
|
master-2.28 86accbca 2026-04-19 11:01 Details Diff |
Cannot grant an access level higher than one's own When adding a user to a project, the ProjectUsersAddCommand failed to check that the target access level was lower or equal to the user's own, allowing privilege escalation. Fixes 0037002, GHSA-7xhr-fg7m-j7c7 Co-authored-by: Vishal Shukla <shukla304@gmail.com> |
Affected Issues 0037002 |
|
| mod - core/commands/ProjectUsersAddCommand.php | Diff File | ||
|
master-2.28 c885af13 2026-04-19 10:35 Details Diff |
Fix XSS in return_dynamic_filters.php Prevent reflected XSS with TEXTAREA custom fields using a crafted filter_target parameter by validating user input and proper escaping. Fixes 0037013, GHSA-j7v9-f46r-2rp4 |
Affected Issues 0037013 |
|
| mod - core/date_api.php | Diff File | ||
| mod - core/filter_form_api.php | Diff File | ||
| mod - return_dynamic_filters.php | Diff File | ||
|
master-2.28 3439497c 2026-04-19 06:20 Details Diff |
Escape $p_name in print_date_selection_set() | ||
| mod - core/date_api.php | Diff File | ||
|
master-2.28 de176a33 2026-04-19 06:18 Details Diff |
Refactor print_date_selection_set() Reduce code duplication and simplify logic |
||
| mod - core/date_api.php | Diff File | ||
|
master-2.28 d09e5c29 2026-04-19 06:04 Details Diff |
Escape $p_field_id in print_filter_custom_field() | ||
| mod - core/filter_form_api.php | Diff File | ||
