Changesets: MantisBT

master 5ceb96b2

2024-03-02 07:23

dregad


Details Diff
Merge branch 'master-2.26'
mod - core/timeline_inc.php Diff File

master 7b9ee439

2024-03-02 07:12

dregad


Details Diff
Removed unused TIMELINE_* constants

Those were added back in 2008 (6bc681fa2ae103998724ecb2b837036ee6e35f95)
for an API that was never finalized, and finally removed in 2009, see
commit b3c834c8ad621f087f9cd1113981848a9eff181d.
mod - core/constant_inc.php Diff File

master 2eeeb42b

2024-03-02 07:06

dregad


Details Diff
Protect timeline_inc.php with a constant

Make sure it can't be accessed directly.

Fixes 0033914
Affected Issues
0033914
mod - my_view_page.php Diff File
mod - timeline_inc.php Diff File
mod - view_user_page.php Diff File

master 834eba1a

2024-03-02 07:00

dregad


Details Diff
Moving timeline_inc.php from core to root

Consistency update. Historically, includes containing markup are stored
with the scripts using them (see bug_view_inc.php for example).

Fixes 0033914
Affected Issues
0033914
mod - my_view_page.php Diff File
mv - core/timeline_inc.php → timeline_inc.php Diff File
mod - view_user_page.php Diff File

master-2.26 bff76ed9

2024-03-02 06:56

dregad


Details Diff
Remove inclusion of core.php in timeline_inc.php

By definition an include file is part of a main script, which will
always include core.php, so it's not necessary to reference it again
in the include.

This actually caused an error on a user's system (PHP 8.2 on IIS). The
problem could not be reproduced, but an easy fix is to remove the
useless require_once.

Fixes 0033906
Affected Issues
0033906
mod - core/timeline_inc.php Diff File

master ef3d11b5

2024-02-29 07:08

translatewiki.net


Details Diff
Localisation updates from https://translatewiki.net. [skip ci]
mod - lang/strings_hungarian.txt Diff File
mod - lang/strings_korean.txt Diff File
mod - plugins/MantisGraph/lang/strings_korean.txt Diff File

master 2c322b00

2024-02-26 07:09

translatewiki.net


Details Diff
Localisation updates from https://translatewiki.net. [skip ci]
mod - lang/strings_breton.txt Diff File
mod - lang/strings_chinese_traditional.txt Diff File
mod - lang/strings_hebrew.txt Diff File
mod - lang/strings_hungarian.txt Diff File
mod - lang/strings_interlingua.txt Diff File
mod - lang/strings_serbian.txt Diff File
mod - lang/strings_slovene.txt Diff File
mod - plugins/MantisGraph/lang/strings_hungarian.txt Diff File

master cc2b4297

2024-02-26 02:20

dependabot[bot]

Committer: community


Details Diff
Bump phpunit/phpunit from 9.6.16 to 9.6.17 (0001973)

Bumps [phpunit/phpunit](https://github.com/sebastianbergmann/phpunit) from 9.6.16 to 9.6.17.
- [Changelog](https://github.com/sebastianbergmann/phpunit/blob/9.6.17/ChangeLog-9.6.md)
- [Commits](https://github.com/sebastianbergmann/phpunit/compare/9.6.16...9.6.17)

---
updated-dependencies:
- dependency-name: phpunit/phpunit
dependency-type: direct:development
update-type: version-update:semver-patch
...

Fixes 0033098, PR https://github.com/mantisbt/mantisbt/pull/1973

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Affected Issues
0033098
mod - composer.lock Diff File

dependabot/composer/phpunit/phpunit-9.6.17 99c377d0

2024-02-25 20:50

dependabot[bot]

Committer: community


Details Diff
Bump phpunit/phpunit from 9.6.16 to 9.6.17

Bumps [phpunit/phpunit](https://github.com/sebastianbergmann/phpunit) from 9.6.16 to 9.6.17.
- [Changelog](https://github.com/sebastianbergmann/phpunit/blob/9.6.17/ChangeLog-9.6.md)
- [Commits](https://github.com/sebastianbergmann/phpunit/compare/9.6.16...9.6.17)

---
updated-dependencies:
- dependency-name: phpunit/phpunit
dependency-type: direct:development
update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
mod - composer.lock Diff File

master d5c4c30a

2024-02-22 10:24

dregad


Details Diff
Move buttons to Edit User section footer

Until now, Reset Password, Delete User and Impersonate User buttons were
displayed between the Edit User and Add user to project sections.

This was dictated by legacy HTML limitation where it was not possible to
have multiple buttons in a single form with different submit actions.

With HTML5 we can leverage the formaction attribute, and move the
buttons into the Edit User section's footer for a cleaner UI.

Fixes 0033842
Affected Issues
0033842
mod - manage_user_delete.php Diff File
mod - manage_user_edit_page.php Diff File
mod - manage_user_reset.php Diff File

master 88f9ca34

2024-02-22 07:09

translatewiki.net


Details Diff
Localisation updates from https://translatewiki.net. [skip ci]
mod - lang/strings_finnish.txt Diff File
mod - lang/strings_hebrew.txt Diff File
mod - lang/strings_hungarian.txt Diff File
mod - lang/strings_italian.txt Diff File
mod - lang/strings_macedonian.txt Diff File
mod - lang/strings_portuguese_standard.txt Diff File
mod - plugins/MantisGraph/lang/strings_galician.txt Diff File
mod - plugins/MantisGraph/lang/strings_hebrew.txt Diff File

master 658e3a64

2024-02-22 05:22

dregad


Details Diff
Upgrade to PHPUnit 9.6

- Update minimum version in composer.json
- Minor adjustments to the test suite, fixing deprecation warnings.

Fixes 0033098, PR https://github.com/mantisbt/mantisbt/pull/1936
Affected Issues
0033098
mod - composer.json Diff File
mod - composer.lock Diff File
mod - core/helper_api.php Diff File
mod - tests/Mantis/ConfigParserTest.php Diff File
mod - tests/Mantis/HelperTest.php Diff File
mv - tests/Mantis/EnumTest.php → tests/Mantis/MantisEnumTest.php Diff File
mod - tests/Mantis/PluginTest.php Diff File
mod - tests/Mantis/PrepareTest.php Diff File
mod - tests/Mantis/StringTest.php Diff File
mv - tests/Mantis/UserTest.php → tests/Mantis/UserApiTest.php Diff File
mod - tests/rest/RestImpersonateUserTest.php Diff File
mod - tests/rest/RestUserTest.php Diff File
mod - tests/soap/AttachmentTest.php Diff File
mod - tests/soap/FilterTest.php Diff File
mod - tests/soap/LoginTest.php Diff File
mod - tests/soap/RelationshipTest.php Diff File

master 7e76c6b7

2024-02-21 18:37

dregad


Details Diff
Fix assertObjectHasAttribute() is deprecated

Replace usage by assertObjectHasProperty().

Same thing for assertObjectNotHasAttribute(), replaced by
assertObjectNotHasProperty()
mod - tests/soap/FilterTest.php Diff File
mod - tests/soap/RelationshipTest.php Diff File

master 7d187adc

2024-02-21 18:33

dregad


Details Diff
Fix assertRegExp() is deprecated

Replace usage by assertMatchesRegularExpression().
mod - tests/soap/AttachmentTest.php Diff File
mod - tests/soap/LoginTest.php Diff File

master 981d8d99

2024-02-21 18:23

dregad


Details Diff
Fix Expecting E_ERROR and E_USER_ERROR is deprecated

Expecting E_ERROR and E_USER_ERROR is deprecated and will no longer be
possible in PHPUnit 10.

helper_array_transpose() now throws a ClientException instead of calling
trigger_error() when detecting a non-bidimensional array.

Adapt HelperTest::testArrayTransposeInvalid() to handle the exception
instead of E_USER_ERROR.
mod - core/helper_api.php Diff File
mod - tests/Mantis/HelperTest.php Diff File

master ee5194fe

2024-02-21 17:48

dregad


Details Diff
Fix PHPUnit deprecation warnings

- Abstract test case classes with "Test" suffix are deprecated
- Test case class not matching filename is deprecated
mod - tests/Mantis/ConfigParserTest.php Diff File
mod - tests/Mantis/HelperTest.php Diff File
mv - tests/Mantis/EnumTest.php → tests/Mantis/MantisEnumTest.php Diff File
mod - tests/Mantis/PluginTest.php Diff File
mod - tests/Mantis/PrepareTest.php Diff File
mod - tests/Mantis/StringTest.php Diff File
mv - tests/Mantis/UserTest.php → tests/Mantis/UserApiTest.php Diff File
mod - tests/rest/RestImpersonateUserTest.php Diff File
mod - tests/rest/RestUserTest.php Diff File

master e238195e

2024-02-21 17:05

dregad


Details Diff
Composer update

Running `composer update -W phpunit/phpunit`

- Removing phpunit/php-token-stream (4.0.4)
- Upgrading sebastian/version (2.0.1 => 3.0.2)
- Upgrading sebastian/type (1.1.4 => 3.2.1)
- Upgrading sebastian/resource-operations (2.0.2 => 3.0.3)
- Upgrading sebastian/recursion-context (3.0.1 => 4.0.5)
- Upgrading sebastian/object-reflector (1.1.2 => 2.0.4)
- Upgrading sebastian/object-enumerator (3.0.4 => 4.0.4)
- Upgrading sebastian/global-state (3.0.3 => 5.0.6)
- Upgrading sebastian/exporter (3.1.5 => 4.0.5)
- Upgrading sebastian/environment (4.2.4 => 5.1.5)
- Upgrading sebastian/diff (3.0.4 => 4.0.5)
- Upgrading sebastian/comparator (3.0.5 => 4.0.8)
- Installing sebastian/code-unit (1.0.8)
- Installing sebastian/cli-parser (1.0.1)
- Upgrading phpunit/php-timer (2.1.3 => 5.0.3)
- Upgrading phpunit/php-text-template (1.2.1 => 2.0.4)
- Installing phpunit/php-invoker (3.1.1)
- Upgrading phpunit/php-file-iterator (2.0.5 => 3.0.6)
- Upgrading theseer/tokenizer (1.2.1 => 1.2.2)
- Installing nikic/php-parser (v5.0.1)
- Installing sebastian/lines-of-code (1.0.4)
- Installing sebastian/complexity (2.0.3)
- Upgrading sebastian/code-unit-reverse-lookup (1.0.2 => 2.0.3)
- Upgrading phpunit/php-code-coverage (7.0.15 => 9.2.30)
- Upgrading phpunit/phpunit (8.5.34 => 9.6.16)
mod - composer.lock Diff File

master d58e13d3

2024-02-20 19:34

dregad


Details Diff
Merge branch 'master-2.26'
mod - build/travis_before_script.sh Diff File

master-2.26 0e4e6e3c

2024-02-20 19:30

dregad


Details Diff
Travis: fix builds timing out

Since merge of GHSA-mcqj-7p29-9528 (7055731d09ff12b2781410a372f790172e279744),
the builds are timing out during travis_before_script.sh "MantisBT
Installation" step, because curl is not returning any output.

This is due to to introduction of the new path parameter.

Setting it to the actual URL `http://$HOSTNAME:$PORT/` does not work, so
we use a blank path.

Fixes 0033791

(cherry picked from commit cd2cf5b3f99b67668bba667e7f918c7a49f04969)
Affected Issues
0033791
mod - build/travis_before_script.sh Diff File

master 4024da02

2024-02-20 16:25

dregad


Details Diff
Merge tag 'release-2.26.1'

Stable release 2.26.1

# Conflicts:
# config_defaults_inc.php
# core/constant_inc.php
mod - admin/check/check_paths_inc.php Diff File
mod - admin/install.php Diff File
mod - config_defaults_inc.php Diff File
mod - core.php Diff File
mod - doc/CREDITS Diff File
mod - docbook/Admin_Guide/en-US/config/path.xml Diff File
mod - js/install.js Diff File
mod - lang/strings_english.txt Diff File
mod - login_page.php Diff File

release-2.26.1 b8778103

2024-02-20 16:14

dregad


Details Diff
Bump version to 5.26.1
mod - core/constant_inc.php Diff File

release-2.26.1 ba4e14ce

2024-02-20 16:13

dregad


Details Diff
Update Credits
mod - doc/CREDITS Diff File

master-2.26 7055731d

2024-02-20 16:10

dregad

Committer: community


Details Diff
Merge pull request from GHSA-mcqj-7p29-9528

* Address host header injection vulnerability

$g_path is empty by default, and should be defined in config_inc.php.
Not doing so is a security risk, as the path will then be set based on
headers from the HTTP request, exposing the system to Host Header
injection attacks.

Document the risk in PHPDoc and Admin Guide.

Move the code that initializes $g_path's default value from
config_defaults_inc.php to a function in core.php.

Detect if $g_path was defaulted, and if yes alert the user in:
- Login Page (if $g_admin_checks == ON)
- Admin Checks

Fixes 0019381, CVE-2024-23830, GHSA-mcqj-7p29-9528

* Remove dead code

* Use OWASP as reference for host header injection

* Link to OWASP reference page from admin guide

* Invalid $g_path at install time is a hard fail

Empty $g_path remains just a warning about the security risk.
Request and set $g_path at install time

This is an improvement on the original patch for CVE-2024-23830.

The admin is now able to set $g_path when installing MantisBT. A default
value is provided, based on the URL used to perform the installation
(using the same logic that is applied when $g_path is empty).

A check of the provided URL is performed during install stage 2, and an
error is reported if it is invalid. If an empty $g_path is given, then
we only display a warning about the security risk.

The URL is then stored as $g_path in the generated config_inc.php file
at stage 5.

This greatly reduces the risk of the admin forgetting to set $g_path
manually, while still allowing them to set it to empty should they want
to.

Fixes 0019381

* Add Reset button to path input

Reuse the existing functionality implemented for database prefix/suffix,
with the following changes

- Rename `reset-prefix` selector class to `reset` to be more generic
- Add Reset functionality markup to path input including default value
- Add title attribute to Reset buttons
- Adapt initialization logic to only set the default value for the
table-prefix fields
Affected Issues
0019381
mod - admin/check/check_paths_inc.php Diff File
mod - admin/install.php Diff File
mod - config_defaults_inc.php Diff File
mod - core.php Diff File
mod - docbook/Admin_Guide/en-US/config/path.xml Diff File
mod - js/install.js Diff File
mod - lang/strings_english.txt Diff File
mod - login_page.php Diff File

master a254b244

2024-02-19 19:08

atrol

Committer: community


Details Diff
Revert unrelated changes to prevent a regression

Changes for issue 0033521 introduce a regression.
Without undoing, we will get again issue 0032459.
Affected Issues
0032459, 0033521
mod - plugins/MantisGraph/MantisGraph.php Diff File

master a16fa867

2024-02-19 18:30

dregad


Details Diff
Always consider Category 0 as enabled

Fixes a regression introduced by e3f572c0f9dd8e1820d76df23281a99e07636bea.

APPLICATION ERROR 1502 (Category not found) prevents editing an issue
without a category.

Issue 0031017
Affected Issues
0031017
mod - core/category_api.php Diff File
 First  Prev  1 2 3 4 5 ... 70 ... 140 ... 210 ... 280 ... 350 ... 420 ... 490 ... 560 ... 630 ... 700 ... 702 703 704  Next  Last