Changesets: MantisBT
|
master-2.26 7055731d 2024-02-20 16:10 Committer: community Details Diff |
Merge pull request from GHSA-mcqj-7p29-9528 * Address host header injection vulnerability $g_path is empty by default, and should be defined in config_inc.php. Not doing so is a security risk, as the path will then be set based on headers from the HTTP request, exposing the system to Host Header injection attacks. Document the risk in PHPDoc and Admin Guide. Move the code that initializes $g_path's default value from config_defaults_inc.php to a function in core.php. Detect if $g_path was defaulted, and if yes alert the user in: - Login Page (if $g_admin_checks == ON) - Admin Checks Fixes 0019381, CVE-2024-23830, GHSA-mcqj-7p29-9528 * Remove dead code * Use OWASP as reference for host header injection * Link to OWASP reference page from admin guide * Invalid $g_path at install time is a hard fail Empty $g_path remains just a warning about the security risk. Request and set $g_path at install time This is an improvement on the original patch for CVE-2024-23830. The admin is now able to set $g_path when installing MantisBT. A default value is provided, based on the URL used to perform the installation (using the same logic that is applied when $g_path is empty). A check of the provided URL is performed during install stage 2, and an error is reported if it is invalid. If an empty $g_path is given, then we only display a warning about the security risk. The URL is then stored as $g_path in the generated config_inc.php file at stage 5. This greatly reduces the risk of the admin forgetting to set $g_path manually, while still allowing them to set it to empty should they want to. Fixes 0019381 * Add Reset button to path input Reuse the existing functionality implemented for database prefix/suffix, with the following changes - Rename `reset-prefix` selector class to `reset` to be more generic - Add Reset functionality markup to path input including default value - Add title attribute to Reset buttons - Adapt initialization logic to only set the default value for the table-prefix fields |
Affected Issues 0019381 |
|
| mod - admin/check/check_paths_inc.php | Diff File | ||
| mod - admin/install.php | Diff File | ||
| mod - config_defaults_inc.php | Diff File | ||
| mod - core.php | Diff File | ||
| mod - docbook/Admin_Guide/en-US/config/path.xml | Diff File | ||
| mod - js/install.js | Diff File | ||
| mod - lang/strings_english.txt | Diff File | ||
| mod - login_page.php | Diff File | ||
|
master a254b244 2024-02-19 19:08 Committer: community Details Diff |
Revert unrelated changes to prevent a regression Changes for issue 0033521 introduce a regression. Without undoing, we will get again issue 0032459. |
Affected Issues 0032459, 0033521 |
|
| mod - plugins/MantisGraph/MantisGraph.php | Diff File | ||
|
master a16fa867 2024-02-19 18:30 Details Diff |
Always consider Category 0 as enabled Fixes a regression introduced by e3f572c0f9dd8e1820d76df23281a99e07636bea. APPLICATION ERROR 1502 (Category not found) prevents editing an issue without a category. Issue 0031017 |
Affected Issues 0031017 |
|
| mod - core/category_api.php | Diff File | ||
|
master 0ed7aec5 2024-02-19 17:41 Details Diff |
Merge branch 'master-2.26' | ||
| mod - core/commands/MonitorAddCommand.php | Diff File | ||
|
master-2.26 2e1c8148 2024-02-19 17:39 Committer: community Details Diff |
Fix add monitor regressions Fixes 0033404 |
Affected Issues 0033404 |
|
| mod - core/commands/MonitorAddCommand.php | Diff File | ||
|
master 4a4c7527 2024-02-19 07:08 translatewiki.net Details Diff |
Localisation updates from https://translatewiki.net. [skip ci] | ||
| mod - plugins/MantisGraph/lang/strings_chinese_traditional.txt | Diff File | ||
| mod - plugins/MantisGraph/lang/strings_french.txt | Diff File | ||
| mod - plugins/MantisGraph/lang/strings_macedonian.txt | Diff File | ||
|
master c03fa0c8 2024-02-18 18:36 Details Diff |
Fix active tab following change of default graph Before introduction of the By Projects graphs, the Graphs menu was opening the By Developers graph by default. Since the default was changed to By Projects, it needs to be reflected in all graph scripts to ensure the Graphs tab is shown as active. Fixes 0033521 |
Affected Issues 0033521 |
|
| mod - plugins/MantisGraph/pages/category_graph.php | Diff File | ||
| mod - plugins/MantisGraph/pages/developer_graph.php | Diff File | ||
| mod - plugins/MantisGraph/pages/issues_trend_graph.php | Diff File | ||
| mod - plugins/MantisGraph/pages/priority_graph.php | Diff File | ||
| mod - plugins/MantisGraph/pages/project_graph.php | Diff File | ||
| mod - plugins/MantisGraph/pages/reporter_graph.php | Diff File | ||
| mod - plugins/MantisGraph/pages/resolution_graph.php | Diff File | ||
| mod - plugins/MantisGraph/pages/severity_graph.php | Diff File | ||
| mod - plugins/MantisGraph/pages/status_graph.php | Diff File | ||
|
master c0ac7ecf 2024-02-18 17:46 Details Diff |
Allow disabling Categories PR https://github.com/mantisbt/mantisbt/pull/1853 |
||
| mod - admin/schema.php | Diff File | ||
| mod - api/soap/mantisconnect.wsdl | Diff File | ||
| mod - api/soap/mc_api.php | Diff File | ||
| mod - api/soap/mc_project_api.php | Diff File | ||
| mod - bug_actiongroup_page.php | Diff File | ||
| mod - bug_report_page.php | Diff File | ||
| mod - bug_update_page.php | Diff File | ||
| mod - bug_view_inc.php | Diff File | ||
| mod - core/category_api.php | Diff File | ||
| mod - core/constant_inc.php | Diff File | ||
| mod - core/install_helper_functions_api.php | Diff File | ||
| mod - core/print_api.php | Diff File | ||
| mod - lang/strings_arabic.txt | Diff File | ||
| mod - lang/strings_belarusian_tarask.txt | Diff File | ||
| mod - lang/strings_breton.txt | Diff File | ||
| mod - lang/strings_bulgarian.txt | Diff File | ||
| mod - lang/strings_catalan.txt | Diff File | ||
| mod - lang/strings_chinese_simplified.txt | Diff File | ||
| mod - lang/strings_chinese_traditional.txt | Diff File | ||
| mod - lang/strings_czech.txt | Diff File | ||
| mod - lang/strings_danish.txt | Diff File | ||
| mod - lang/strings_dutch.txt | Diff File | ||
| mod - lang/strings_english.txt | Diff File | ||
| mod - lang/strings_french.txt | Diff File | ||
| mod - lang/strings_galician.txt | Diff File | ||
| mod - lang/strings_german.txt | Diff File | ||
| mod - lang/strings_hebrew.txt | Diff File | ||
| mod - lang/strings_hungarian.txt | Diff File | ||
| mod - lang/strings_icelandic.txt | Diff File | ||
| mod - lang/strings_interlingua.txt | Diff File | ||
| mod - lang/strings_italian.txt | Diff File | ||
| mod - lang/strings_japanese.txt | Diff File | ||
| mod - lang/strings_korean.txt | Diff File | ||
| mod - lang/strings_lithuanian.txt | Diff File | ||
| mod - lang/strings_macedonian.txt | Diff File | ||
| mod - lang/strings_norwegian_bokmal.txt | Diff File | ||
| mod - lang/strings_occitan.txt | Diff File | ||
| mod - lang/strings_polish.txt | Diff File | ||
| mod - lang/strings_portuguese_brazil.txt | Diff File | ||
| mod - lang/strings_portuguese_standard.txt | Diff File | ||
| mod - lang/strings_romanian.txt | Diff File | ||
| mod - lang/strings_russian.txt | Diff File | ||
| mod - lang/strings_serbian.txt | Diff File | ||
| mod - lang/strings_serbian_latin.txt | Diff File | ||
| mod - lang/strings_slovak.txt | Diff File | ||
| mod - lang/strings_spanish.txt | Diff File | ||
| mod - lang/strings_swedish.txt | Diff File | ||
| mod - lang/strings_swissgerman.txt | Diff File | ||
| mod - lang/strings_tagalog.txt | Diff File | ||
| mod - lang/strings_turkish.txt | Diff File | ||
| mod - lang/strings_ukrainian.txt | Diff File | ||
| mod - lang/strings_vietnamese.txt | Diff File | ||
| mod - manage_proj_cat_edit_page.php | Diff File | ||
| mod - manage_proj_cat_update.php | Diff File | ||
| mod - manage_proj_edit_page.php | Diff File | ||
| mod - manage_proj_page.php | Diff File | ||
| mod - plugins/XmlImportExport/pages/import.php | Diff File | ||
|
master 7abd1309 2024-02-18 17:24 Details Diff |
Refactor mc_project_api.php - Improve PHPDoc - Fix static analysis warnings - Introduce new functions to avoid code duplication - mci_project_get_row() - mci_project_get_versions() - mci_project_initial_checks() Fixes 0033774, PR https://github.com/mantisbt/mantisbt/pull/1970 |
Affected Issues 0033774 |
|
| mod - api/soap/mc_api.php | Diff File | ||
| mod - api/soap/mc_project_api.php | Diff File | ||
|
master 4dc35ad5 2024-02-18 11:40 Details Diff |
Merge branch 'master-2.26' | ||
| mod - admin/install.php | Diff File | ||
| mod - core.php | Diff File | ||
| mod - css/ace-mantis.css | Diff File | ||
|
master-2.26 e50fb20d 2024-02-18 11:31 Details Diff |
Fix overflowing text in sidebar menu Addresses 2 distinct issues: - collapsed menu - expanded menu with resolutions < 992px Fixes 0033651, PR https://github.com/mantisbt/mantisbt/pull/1969 |
Affected Issues 0033651 |
|
| mod - css/ace-mantis.css | Diff File | ||
|
master-2.26 1f1c88d7 2024-02-18 06:20 Details Diff |
Fix overflowing text in expanded sidebar menu Use `min-width` attribute instead of `width` for non-minimized .sidebar in resolutions < 992px. |
||
| mod - css/ace-mantis.css | Diff File | ||
|
master-2.26 4b54f872 2024-02-18 06:04 Details Diff |
Move menu-text overflow fix out of @media section This way the change also applies in responsive mode for smaller resolutions. |
||
| mod - css/ace-mantis.css | Diff File | ||
|
master-2.26 e1396d1c 2024-02-18 06:03 Details Diff |
Remove min-width | ||
| mod - css/ace-mantis.css | Diff File | ||
|
master-2.26 fe630faf 2024-02-18 04:07 Details Diff |
Install: reset button does not work at stage 2 This was caused by the install.js scripts only being loaded at stage 1. Fixes 0026664 |
Affected Issues 0026664, 0033773 |
|
| mod - admin/install.php | Diff File | ||
|
master-2.26 6da6fb05 2024-02-17 07:11 Details Diff |
Fix javascript console errors in install.php This caused by core.php redirecting to install.php when config_inc.php does not exist, when attempting to load the dynamically built javascript files. Fixes 0033756 |
Affected Issues 0033756 |
|
| mod - core.php | Diff File | ||
|
master e082b0ce 2024-02-16 20:34 Details Diff |
Tests: new MANTIS_TESTSUITE_XDEBUG_SESSION setting Allows debugging of SOAP and REST API endpoints when running PHPUnit. If not empty, sets the XDEBUG_SESSION cookie with the config's value to enable Xdebug. Fixes 0033755 |
Affected Issues 0033755 |
|
| mod - tests/bootstrap.php.sample | Diff File | ||
| mod - tests/core/RequestBuilder.php | Diff File | ||
| mod - tests/rest/RestBase.php | Diff File | ||
| mod - tests/soap/SoapBase.php | Diff File | ||
|
master 5c91053e 2024-02-16 18:47 Details Diff |
REST: /projects includes category status Issue 0031017 |
Affected Issues 0031017 |
|
| mod - api/soap/mc_project_api.php | Diff File | ||
|
master fc4c9462 2024-02-16 18:43 Details Diff |
SOAP: only return enabled categories mc_project_get_categories() should not return disabled categories. Issue 0031017 |
Affected Issues 0031017 |
|
| mod - api/soap/mantisconnect.wsdl | Diff File | ||
| mod - api/soap/mc_project_api.php | Diff File | ||
|
master 856b7c6d 2024-02-16 18:36 Details Diff |
New function mci_project_initial_checks() Avoid duplicated code in - mc_project_get_categories() - mc_project_add_category() - mc_project_delete_category() |
||
| mod - api/soap/mc_project_api.php | Diff File | ||
|
master 7ab9a6cf 2024-02-16 18:32 Details Diff |
New function mci_project_get_versions() Avoid duplicated code in - mc_project_get_versions() - mc_project_get_released_versions() - mc_project_get_unreleased_versions() |
||
| mod - api/soap/mc_project_api.php | Diff File | ||
|
master ef8b79aa 2024-02-16 18:24 Details Diff |
New function mci_project_get_row() Avoid duplicated code in - mc_projects_get_user_accessible - mci_user_get_accessible_subprojects() |
||
| mod - api/soap/mc_api.php | Diff File | ||
| mod - api/soap/mc_project_api.php | Diff File | ||
|
master 6b1fcc13 2024-02-16 18:15 Details Diff |
PHPDoc | ||
| mod - api/soap/mc_project_api.php | Diff File | ||
|
master 3072c167 2024-02-16 18:13 Details Diff |
Fix static analysis warnings | ||
| mod - api/soap/mc_project_api.php | Diff File | ||
|
master ff09c2ed 2024-02-16 12:23 Details Diff |
Prevent disabling category if used as default If the category being disabled is used as default_category_for_moves in any project, then category_update() now fails with an error. Issue 0031017 |
Affected Issues 0031017 |
|
| mod - core/category_api.php | Diff File | ||
