0014496: CVE-2012-5522 Workflow Transitions: Minimal Access Level to Change to this status has no correct 'default'

Notes
(0033185) dregad (developer) 2012-10-12 17:31	Confirmed.

(0033186) dregad (developer) 2012-10-12 18:59	Work-in-progress fix https://github.com/dregad/mantisbt/tree/manage-config-workflow [^] Testing & feedback welcome

(0033192) atrol (developer) 2012-10-14 10:41	The display of the access levels at "Minimum Access Level to Change to this Status" is fine now, but I found some other issues Test environment: Clone of https://github.com/dregad/mantisbt, [^] branch manage-config-workflow Fresh installation without any workflow / status changes in config_inc.php Created two projects, started every workflow with clean settings (no entries in "Configuration Report)" Workflow 1: Project selected: All Projects Change "Thresholds that Affect Workflow" > "Status to which a new issue is set" from "new" to "acknowledged" Click "Upgrade Configuration" The setting is changed as expected and shown with the right color Bug: The color for rows "new" and "acknowledged" in section "Minimum Access Level to Change to this Status" is also changed. Workflow 2: Project selected: All Projects Change "Minimum Access Level to Change to this Status", row "closed" from "developer" to "manager" Click "Upgrade Configuration" The setting is changed as expected and shown with the right color Click "Upgrade Configuration" without changing anything Bug: The changed setting is lost Workflow 3: Project selected: All Projects Click "Upgrade Configuration" without changing anything Bug: You get an entry for "status_enum_workflow" in config_table I stop testing more workflows Minor code issue: One PHPDoc tag in function set_colour_override is wrong Should be @return instead of @returns

(0033195) dregad (developer) 2012-10-15 04:30	Thanks for testing, I'll look into the issues you found

(0033321) Goaul (reporter) 2012-10-28 06:06	any new code to test? :)

(0033324) dregad (developer) 2012-10-28 06:13	Not yet no, been busy

(0033325) dregad (developer) 2012-10-28 13:59 edited on: 2012-10-28 13:59	> Workflow 1: > Bug: The color for rows "new" and "acknowledged" in section "Minimum Access Level to Change to this Status" is also changed. The problem is that depending on the value of $g_bug_submit_status ('NEW' by default, but in your test case, set to 'ACKNOWLEDGED'), the access level for the corresponding status is controlled (overridden in fact) by $g_report_bug_threshold instead of $g_set_status_threshold. Since in a single update operation, the code is both changing $g_bug_submit_status and $g_set_status_threshold, I think what we're seeing is the expected behavior, even though it's a bit confusing. This is because as part of the update process, $g_report_bug_threshold is actually set to match the access level for $g_bug_submit_status; since this happens after setting $g_bug_submit_status, you're effectively preventing REPORTERS from reporting new (i.e. acknowledged) issues, unless you change the access level for status 'ACKNOWLEDGED' to 'REPORTER' before updating. This can easily be confirmed by checking the Manage Workflow Threshold page after the update. So there is a logical explanation for the 'ACKNOWLEDGED' color change. For 'NEW', you have to keep in mind that with default configuration, $g_set_status_threshold is defined in config_defaults_inc.php as an empty array, so there is no 'file' value, while at 'global' (all projects) level it's set to 'REPORTER'. I believe that one possible way to fix this could be to define in config_defaults_inc.php: $g_set_status_threshold = array( NEW_ => REPORTER ); Let me know what you think. > Workflow 2: > Bug: The changed setting is lost Confirmed; this is due to an initial attempt at fixing case 3 below, which was not completely tested. > Workflow 3: > Click "Upgrade Configuration" without changing anything > Bug: You get an entry for "status_enum_workflow" in config_table Yep, I had already identified that one, and marked it as a todo in the code. Need to implement a comparison to remove (or avoid setting) the config when matching the default > One PHPDoc tag in function set_colour_override is wrong > Should be @return instead of @returns Good catch, thanks. Fixed.

(0033329) dregad (developer) 2012-10-28 19:17	I revised and updated the github branch [1] with a few additional commits that should fix the issues raised by atrol in 0014496:0033192 as per my comments below. Let me know if you notice any additional issues in testing. [1] https://github.com/dregad/mantisbt/tree/manage-config-workflow [^]

(0034441) dregad (developer) 2012-12-01 06:16	Ported the 1.2.12 changes to master branch

(0035371) dregad (developer) 2013-03-04 11:22	CVE-2012-5522 assigned on oss-security mailing list on 2012-11-14

(0036081) grangeway (developer) 2013-04-05 17:56	Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets
MantisBT: master-1.2.x d893ca3f Timestamp: 2012-10-12 22:37:06 Author: dregad [ Details ] [ Diff ]	Manage config workflow page does not reflect actual config The code did not properly reflect the configuration state when building the Access Levels form, if the minimum access level was defined using update_bug_status_threshold and set_status_threshold wass empty, showing 'viewer' for each status except 'new'. Consequently, saving the page without changes would cause the config to be saved with all access levels as 'viewer'. Fixes 0014496
	mod - manage_config_workflow_page.php	[ Diff ] [ File ]
	mod - manage_config_workflow_set.php	[ Diff ] [ File ]

MantisBT: master a4144388 Timestamp: 2012-10-12 22:37:06 Author: dregad [ Details ] [ Diff ]	Manage config workflow page does not reflect actual config The code did not properly reflect the configuration state when building the Access Levels form, if the minimum access level was defined using update_bug_status_threshold and set_status_threshold wass empty, showing 'viewer' for each status except 'new'. Consequently, saving the page without changes would cause the config to be saved with all access levels as 'viewer'. Fixes 0014496
	mod - manage_config_workflow_page.php	[ Diff ] [ File ]
	mod - manage_config_workflow_set.php	[ Diff ] [ File ]

MantisBT: master-1.2.x d982fc99 Timestamp: 2012-10-28 22:47:15 Author: dregad [ Details ] [ Diff ]	Workflow config: delete override if identical to parent The code in manage_config_workflow_set.php now deletes the config override for the current project if the new settings are identical to the parent's (ALL_PROJECTS level if project, or file-level if all projects). Follow-up fix for issue 0014496
	mod - manage_config_workflow_set.php	[ Diff ] [ File ]

MantisBT: master c96ca214 Timestamp: 2012-10-28 22:47:15 Author: dregad [ Details ] [ Diff ]	Workflow config: delete override if identical to parent The code in manage_config_workflow_set.php now deletes the config override for the current project if the new settings are identical to the parent's (ALL_PROJECTS level if project, or file-level if all projects). Follow-up fix for issue 0014496
	mod - manage_config_workflow_set.php	[ Diff ] [ File ]

MantisBT: master-1.2.x 361089d2 Timestamp: 2012-10-28 23:00:51 Author: dregad [ Details ] [ Diff ]	Define default $g_set_status_threshold for NEW to REPORTER This prevents incorrect highlighting of NEW status as an override in the Access Levels section of manage_config_workflow_page.php, when $g_bug_submit_status is different from default. Fixes 0014496 (see atrol's bugnote 0014496:0033192 and my follow up in 0014496:0033325)
	mod - config_defaults_inc.php	[ Diff ] [ File ]

MantisBT: master 7c46e287 Timestamp: 2012-10-28 23:00:51 Author: dregad [ Details ] [ Diff ]	Define default $g_set_status_threshold for NEW to REPORTER This prevents incorrect highlighting of NEW status as an override in the Access Levels section of manage_config_workflow_page.php, when $g_bug_submit_status is different from default. Fixes 0014496 (see atrol's bugnote 0014496:0033192 and my follow up in 0014496:0033325)
	mod - config_defaults_inc.php	[ Diff ] [ File ]

Issue History
Date Modified	Username	Field	Change
2012-07-19 02:59	TomR	New Issue
2012-10-12 17:31	dregad	Note Added: 0033185
2012-10-12 17:31	dregad	Status	new => confirmed
2012-10-12 17:58	dregad	Relationship added	related to 0011894
2012-10-12 18:59	dregad	Note Added: 0033186
2012-10-12 18:59	dregad	Assigned To	=> dregad
2012-10-12 18:59	dregad	Status	confirmed => assigned
2012-10-14 10:41	atrol	Note Added: 0033192
2012-10-15 04:30	dregad	Note Added: 0033195
2012-10-19 04:03	dregad	Relationship added	related to 0007325
2012-10-28 06:06	Goaul	Note Added: 0033321
2012-10-28 06:13	dregad	Note Added: 0033324
2012-10-28 13:59	dregad	Note Added: 0033325
2012-10-28 13:59	dregad	Note Edited: 0033325	View Revisions
2012-10-28 19:17	dregad	Note Added: 0033329
2012-10-28 19:17	dregad	Status	assigned => feedback
2012-11-10 19:13	dregad	Changeset attached	=> MantisBT master-1.2.x d893ca3f
2012-11-10 19:13	dregad	Changeset attached	=> MantisBT master-1.2.x d982fc99
2012-11-10 19:13	dregad	Changeset attached	=> MantisBT master-1.2.x 361089d2
2012-11-10 19:13	dregad	Status	feedback => resolved
2012-11-10 19:13	dregad	Resolution	open => fixed
2012-11-10 19:13	dregad	Fixed in Version	=> 1.2.13
2012-11-10 19:15	dregad	Fixed in Version	1.2.13 => 1.2.12
2012-11-10 19:15	dregad	Target Version	=> 1.2.12
2012-12-01 06:12	dregad	Changeset attached	=> MantisBT master a4144388
2012-12-01 06:12	dregad	Changeset attached	=> MantisBT master c96ca214
2012-12-01 06:12	dregad	Changeset attached	=> MantisBT master 7c46e287
2012-12-01 06:16	dregad	Note Added: 0034441
2012-12-23 07:43	atrol	Status	resolved => closed
2013-03-04 11:20	dregad	Summary	Workflow Transitions: Minimal Access Level to Change to this status has no correct 'default' => CVE-2012-5522 Workflow Transitions: Minimal Access Level to Change to this status has no correct 'default'
2013-03-04 11:22	dregad	Note Added: 0035371
2013-04-05 17:56	grangeway	Status	closed => acknowledged
2013-04-05 17:56	grangeway	Note Added: 0036081
2013-04-05 19:43	grangeway	Relationship added	related to 0015721
2013-04-06 03:40	dregad	Status	acknowledged => closed
2013-04-06 07:23	grangeway	Status	closed => acknowledged
2013-04-06 09:22	dregad	Tag Attached: 2.0.x check
2013-04-06 09:23	dregad	Status	acknowledged => closed