Changesets: MantisBT
|
master-2.28 5fec0f44 2026-04-08 04:49 Details Diff |
Escape textarea custom field for display Prevents HTML injection / XSS in bug_update_page.php. Fixes 0037003, GHSA-qj6w-v29q-4rgx Co-authored-by: Nozomu Sasaki <nzm117ssk@gmail.com> |
Affected Issues 0037003 |
|
| mod - core/cfdefs/cfdef_standard.php | Diff File | ||
|
master-2.28 2ec1b106 2026-04-07 12:02 Details Diff |
Revert use of string_url() in http_api.php Requiring string_api.php was causing a circular inclusion pattern of the core APIs, resulting in rejection of Secure Cookies by the browser. Partial revert of commit 5393a5663d33a0060d13ee0d4517bb701ddac40d. Fixes 0036819 |
Affected Issues 0036819 |
|
| mod - core/http_api.php | Diff File | ||
|
master-2.28 e6be7c24 2026-04-06 08:26 Details Diff |
Check user id validity early in verify.php It makes no sense to attempt login if the user does not exist. Minor optimization: make use of extracted $u_username variable instead of calling user_get_username(). Fixes 0037006 |
Affected Issues 0037006 |
|
| mod - verify.php | Diff File | ||
|
master-2.28 e2d7dcda 2026-04-06 08:19 Details Diff |
Fix record not found check in user_cache_row() Using empty() instead of !isset(), so both false and null trigger the exception. Regression from 2cee661cbdf9bf607a75586b8376f74675c924af. Fixes 0037005 |
Affected Issues 0037005 |
|
| mod - core/user_api.php | Diff File | ||
|
master f4795e18 2026-04-06 08:08 translatewiki.net Details Diff |
Localisation updates from https://translatewiki.net. [skip ci] | ||
| mod - lang/strings_ukrainian.txt | Diff File | ||
| mod - plugins/MantisCoreFormatting/lang/strings_ukrainian.txt | Diff File | ||
|
master 70bfd6ae 2026-04-06 07:45 Details Diff |
PHPDoc | ||
| mod - core/access_api.php | Diff File | ||
|
master bf3b3641 2026-04-04 06:02 Committer: dregad Details Diff |
Deleting a user now deletes its filters Fixes 0037004 |
Affected Issues 0037004 |
|
| mod - core/filter_api.php | Diff File | ||
| mod - core/user_api.php | Diff File | ||
|
master-2.28 b8d84f3c 2026-04-04 05:40 Committer: dregad Details Diff |
Fix intermittent error when deleting user from project Fixes 0032998, PR https://github.com/mantisbt/mantisbt/pull/2199 |
Affected Issues 0032998 |
|
| mod - core/commands/ProjectUsersDeleteCommand.php | Diff File | ||
|
master 9fc59f7e 2026-03-31 13:38 Details Diff |
Fix static analysis warnings | ||
| mod - bug_revision_view_page.php | Diff File | ||
| mod - core/access_api.php | Diff File | ||
|
master-2.28 b262b4d2 2026-03-30 13:32 Details Diff |
Prevent unauthorized attachment upload via REST file_allow_project_upload() has been modified to check access for upload_bug_file_threshold against - project for new issues - bug for existing issues Fixes 0036976, GHSA-h4x5-gvx6-3rwc |
Affected Issues 0036976 |
|
| mod - core/file_api.php | Diff File | ||
|
master 09671193 2026-03-30 12:05 Details Diff |
Fix static analysis warnings, whitespace, PHPDoc | ||
| mod - core/commands/IssueFileAddCommand.php | Diff File | ||
|
master-2.28 de7bdeec 2026-03-30 11:42 Details Diff |
Prevent access to private issues' file attachments Adding access checks ensuring that the user is allowed to view the attachments' parent issue, before listing or downloading them: - file_can_view_or_download() function - IssueFileGetCommand::validate() method Fixes 0036977, GHSA-rmp5-5jj7-gmvf |
Affected Issues 0036977 |
|
| mod - core/commands/IssueFileGetCommand.php | Diff File | ||
| mod - core/file_api.php | Diff File | ||
|
master 965df5ed 2026-03-30 10:48 Details Diff |
Fix static analysis warnings | ||
| mod - api/rest/restcore/issues_rest.php | Diff File | ||
| mod - core/commands/IssueFileGetCommand.php | Diff File | ||
| mod - file_download.php | Diff File | ||
|
master d400614c 2026-03-30 10:46 Details Diff |
Code cleanup: merge if statement The following switch is based on the exact same condition. |
||
| mod - file_download.php | Diff File | ||
|
master 209f5d33 2026-03-30 10:43 Details Diff |
Code cleanup: remove unnecessary variables | ||
| mod - core/file_api.php | Diff File | ||
|
master 12a20c13 2026-03-30 08:10 translatewiki.net Details Diff |
Localisation updates from https://translatewiki.net. [skip ci] | ||
| mod - lang/strings_ukrainian.txt | Diff File | ||
|
master-2.28 0a93267d 2026-03-28 14:16 Details Diff |
Only let users monitor private issues they can access Fixes an information disclosure vulnerability, which was introduced by the fix for issue 0033404. MonitorAddCommand now checks for monitor_bug_threshold differently, depending on whether the user is adding themselves (bug-level check) or someone lese (project-level check). Fixes 0036975 |
Affected Issues 0033404, 0036975 |
|
| mod - core/commands/MonitorAddCommand.php | Diff File | ||
|
master 6754a8b2 2026-03-28 12:59 Details Diff |
Fix static analysis warnings Refactoring the label for profile_id as PHPStorm's inspection does not detect it when it is injected via echo statements. |
||
| mod - bug_report_page.php | Diff File | ||
|
master-2.28 df22697a 2026-03-28 12:46 Details Diff |
Escape Project name in bug_report_page.php Prevents XSS in Clone context (i.e. if m_id parameter is provided) when the current project is different from the master issue's. Fixes 0036986, GHSA-fvjf-68wh-rwp2 |
Affected Issues 0036986 |
|
| mod - bug_report_page.php | Diff File | ||
|
master-2.28 69e0180f 2026-03-27 13:53 Details Diff |
Fix privilege escalation in ProjectUsersAddCommand Prevents MANAGER users from upgrading themselves or other users to project-level ADMINISTRATOR. Fixes 0036995 |
Affected Issues 0036995 |
|
| mod - core/commands/ProjectUsersAddCommand.php | Diff File | ||
|
master 6468c95d 2026-03-27 13:49 Details Diff |
Fix spelling [skip ci] | ||
| mod - manage_proj_user_update.php | Diff File | ||
|
master 1b1a3133 2026-03-23 08:47 Details Diff |
Merge branch 'master-2.28' | ||
| mod - core/csv_api.php | Diff File | ||
|
master 95855d53 2026-03-23 08:31 Details Diff |
Merge branch 'master-2.28' # Conflicts: # api/rest/mantisbt_openapi.yaml # core/constant_inc.php |
||
| mod - view_filters_page.php | Diff File | ||
|
master-2.28 996e4697 2026-03-23 08:26 Details Diff |
Fix duplicated page layout in view_filters_page.php Issuing page layout too early causes header and sidebar duplication when calling access_denied(), if the filter does not exist or is not accessible. Fixes 0036990 |
Affected Issues 0036990 |
|
| mod - view_filters_page.php | Diff File | ||
|
master 2674500b 2026-03-23 08:08 translatewiki.net Details Diff |
Localisation updates from https://translatewiki.net. [skip ci] | ||
| mod - lang/strings_belarusian_tarask.txt | Diff File | ||
| mod - plugins/MantisCoreFormatting/lang/strings_belarusian_tarask.txt | Diff File | ||
