Changesets: MantisBT

master-2.4 38c0bf3c

2017-05-25 10:05:02

epenet


Committer: vboctor Details Diff
Honor logout redirect page set by auth plugins

Fixes 0022923
mod - logout_page.php Diff File

master 9af8fe37

2017-05-25 09:45:54

atrol

Details Diff
Correct display of footer if time tracking is enabled

Fixes 0022925
mod - bugnote_stats_inc.php Diff File

master 13a7de43

2017-05-22 06:09:38

dregad

Details Diff
Merge remote-tracking branch 'origin/master-2.4'

Conflicts:
core/constant_inc.php
mod - core/cfdefs/cfdef_standard.php Diff File
mod - core/classes/MantisColumn.class.php Diff File
mod - core/csv_api.php Diff File
mod - core/custom_field_api.php Diff File
mod - core/excel_api.php Diff File
mod - csv_export.php Diff File
mod - docbook/Admin_Guide/en-US/Revision_History.xml Diff File
mod - docbook/Developers_Guide/en-US/Revision_History.xml Diff File
mod - excel_xml_export.php Diff File

master 6f7ea152

2017-05-21 03:54:51

translatewiki.net

Details Diff
Localisation updates from https://translatewiki.net.
mod - lang/strings_dutch.txt Diff File
mod - lang/strings_hungarian.txt Diff File
mod - plugins/MantisCoreFormatting/lang/strings_hungarian.txt Diff File
mod - plugins/MantisGraph/lang/strings_hungarian.txt Diff File

master 0602b9f3

2017-05-20 17:03:50

vboctor

Details Diff
Update Slim framework from 3.7.0 to 3.8.1

Fixes 0022809
mod - composer.lock Diff File

master-2.3 990c773b

2017-05-20 15:18:22

vboctor

Details Diff
Bump version to 2.3.3
mod - core/constant_inc.php Diff File
mod - docbook/Admin_Guide/en-US/Revision_History.xml Diff File
mod - docbook/Developers_Guide/en-US/Revision_History.xml Diff File

master-2.4 609e2522

2017-05-20 14:45:53

vboctor

Details Diff
Bump version to 2.4.1
mod - core/constant_inc.php Diff File
mod - docbook/Admin_Guide/en-US/Revision_History.xml Diff File
mod - docbook/Developers_Guide/en-US/Revision_History.xml Diff File

master-1.3.x b78fd043

2017-05-20 14:43:14

vboctor

Details Diff
Bump version to 1.3.11
mod - core/constant_inc.php Diff File
mod - docbook/Admin_Guide/en-US/Revision_History.xml Diff File
mod - docbook/Developers_Guide/en-US/Revision_History.xml Diff File

master 11ab5edc

2017-05-20 09:36:27

dregad

Details Diff
Merge remote-tracking branch 'origin/master-2.4'
mod - core/bugnote_api.php Diff File

master 33e1230b

2017-05-20 08:16:56

MS-Astra


Committer: dregad Details Diff
Fix moving issues with attachments

Issues with attachments cannot be moved between projects with different
upload directories when files are stored in file system.

Add missing parameters to db_query() call in file_move_bug_attachments().

Fixes 0021994
mod - core/file_api.php Diff File

master 486e1a7e

2017-05-20 05:57:34

dregad

Details Diff
Only append query string to return URL when not blank

The target URL for the 'Login' button in the breadcrumbs div had a
trailing '?' due to appending QUERY_STRING even when no query params
are defined.

Adding a check to only add it when QUERY_STRING is not blank fixes the
problem.

Fixes 0022905
mod - core/layout_api.php Diff File

master 0562a516

2017-05-20 05:34:34

dregad

Details Diff
Merge branch 'i22702-csrf'
mod - core/filter_api.php Diff File
mod - core/string_api.php Diff File
mod - permalink_page.php Diff File
mod - tests/Mantis/StringTest.php Diff File

master 2d541e98

2017-05-20 04:59:17

translatewiki.net

Details Diff
Localisation updates from https://translatewiki.net.
mod - lang/strings_bulgarian.txt Diff File
mod - lang/strings_chinese_simplified.txt Diff File
mod - lang/strings_german.txt Diff File
mod - lang/strings_russian.txt Diff File

master-2.4 2d2309a3

2017-05-19 11:48:57

dregad

Details Diff
Fix CSRF vulnerability in permalink_page.php

John Page aka hyp3rlinx / ApparitionSec http://hyp3rlinx.altervista.org
reported a CSRF vulnerability in permalink_page.php, allowing an
attacker to inject arbitrary links (CVE-2017-7620).

Backporting from master branch:
- Add form security token to prevent such injection
0d11077d40c5dfdb76efdad9ba2b455af5be25a0
- Encode '\' in string_sanitize_url()
7b23377c573817c5fe8b522e8c33de8b1caff179

Fixes 0022702, 0022816
mod - core/filter_api.php Diff File
mod - core/string_api.php Diff File
mod - permalink_page.php Diff File
mod - tests/Mantis/StringTest.php Diff File

master-2.3 8b6787c8

2017-05-19 11:48:57

dregad

Details Diff
Fix CSRF vulnerability in permalink_page.php

John Page aka hyp3rlinx / ApparitionSec http://hyp3rlinx.altervista.org
reported a CSRF vulnerability in permalink_page.php, allowing an
attacker to inject arbitrary links (CVE-2017-7620).

Backporting from master branch:
- Add form security token to prevent such injection
0d11077d40c5dfdb76efdad9ba2b455af5be25a0
- Encode '\' in string_sanitize_url()
7b23377c573817c5fe8b522e8c33de8b1caff179

Fixes 0022702, 0022816
mod - core/filter_api.php Diff File
mod - core/string_api.php Diff File
mod - permalink_page.php Diff File
mod - tests/Mantis/StringTest.php Diff File

master-1.3.x c4f50e5d

2017-05-19 11:48:57

dregad

Details Diff
Fix CSRF vulnerability in permalink_page.php

John Page aka hyp3rlinx / ApparitionSec http://hyp3rlinx.altervista.org
reported a CSRF vulnerability in permalink_page.php, allowing an
attacker to inject arbitrary links (CVE-2017-7620).

Backporting from master branch:
- Add form security token to prevent such injection (code changed from
original commit) 0d11077d40c5dfdb76efdad9ba2b455af5be25a0
- Encode '\' in string_sanitize_url()
7b23377c573817c5fe8b522e8c33de8b1caff179

Fixes 0022702, 0022816
mod - core/filter_api.php Diff File
mod - core/string_api.php Diff File
mod - permalink_page.php Diff File
mod - tests/Mantis/StringTest.php Diff File

master c0903f25

2017-05-15 07:55:00

dregad

Details Diff
Fix 0022868: typo in variable name
mod - core/html_api.php Diff File

master 06e76774

2017-05-15 04:33:39

dregad

Details Diff
Improve db_fetch_array performance

Improve db_fetch_array performance by caching the result from:
- db_is_pgsql()
- db_is_oracle()

Based on profiling, the repeated calls were using up to 20% of total
time for the db_fetch_array execution.

Fixes 0021871, PR https://github.com/mantisbt/mantisbt/pull/1105
mod - core/constant_inc.php Diff File
mod - core/database_api.php Diff File

master-2.4 a64a0d22

2017-05-15 00:32:02

vboctor

Details Diff
Fixes markdown formating for notes column

The 3 dashes marked the notes above it as a markdown header. Fix is to use `=-=` instead.

Fixes 0022867
mod - core/bugnote_api.php Diff File

master-2.4 8dad4e18

2017-05-14 23:43:55

vboctor

Details Diff
Fix CSV and Excel export when markdown is enabled

The output for CSV and Excel included paragraph html tags which polluted
the output and corrupted Excel output when there are numeric custom fields.

This was caused by calling html processing when getting the value of custom fields.

The fix is to have the retrieval of custom field values not process it for any output
and have the calling code do the appropriate processing. The code also now does
processing based on the custom field type rather than treating types all as string.

Fixes 0022428
mod - core/cfdefs/cfdef_standard.php Diff File
mod - core/classes/MantisColumn.class.php Diff File
mod - core/csv_api.php Diff File
mod - core/custom_field_api.php Diff File
mod - core/excel_api.php Diff File
mod - csv_export.php Diff File
mod - excel_xml_export.php Diff File

master 241ff4eb

2017-05-13 18:53:15

dregad

Details Diff
Add test for '\' encoding in in string_sanitize_url()

Issue 0022702
mod - tests/Mantis/StringTest.php Diff File

master f6644090

2017-05-13 18:47:13

dregad

Details Diff
Encode '\' in string_sanitize_url()

As an extra safety measure following up on the fix for CVE-2017-7620, we
encode the backslashes in the 'script' part of the URL to ensure that
the sanitized URL is treated as a path relative to MantisBT root and not
a link to an external site if the URL begins with an escaped `/`.

This reduces the risk of someone being able to use the same attack
vector in another page.

Fixes 0022702, 0022816
mod - core/string_api.php Diff File

master f21b56fa

2017-05-13 18:45:04

dregad

Details Diff
Add form security token to permalink_page.php

John Page aka hyp3rlinx / ApparitionSec http://hyp3rlinx.altervista.org
reported a CSRF vulnerability in permalink_page.php, allowing an
attacker to inject arbitrary links (CVE-2017-7620).

The security token prevents such injection.

Fixes 0022702
mod - core/filter_api.php Diff File
mod - permalink_page.php Diff File

master b0b56c82

2017-05-13 18:11:53

dregad

Details Diff
Fix system notice on login page with BASIC_AUTH

Undefined index: REMOTE_USER in authentication_api.php line 337

Fixes 0022865
mod - core/authentication_api.php Diff File

master cbdf5661

2017-05-13 17:59:08

dregad

Details Diff
Fix .mailmap for Carlos
mod - .mailmap Diff File
1 2 3 4 ... 60 ... 120 ... 180 ... 240 ... 300 ... 360 ... 420 ... 480 ... 540 ... 560 561 562  Next  Last