MantisBT

View Issue Details Jump to Notes ] Wiki ] Related Changesets ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0014496mantisbtsecuritypublic2012-07-19 02:592013-12-30 07:27
ReporterTomR 
Assigned Todregad 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.2.8 
Target Version1.2.12Fixed in Version1.2.12 
Summary0014496: CVE-2012-5522 Workflow Transitions: Minimal Access Level to Change to this status has no correct 'default'
DescriptionRelated to 0011894

If you have in your config_inv.php

$g_update_bug_status_threshold = DEVELOPER;
$g_set_status_threshold = array();

you would expect that de defaults in Manage Configuration - Workflow Thresholds would be for every status 'developee'. Instead it shows for ever state ( except 'new' ) 'viewer.
( So when you change the Workflow and 'Saves' it, it also 'Saves' the Access levels ( which has the wrong default ).

In my opinion the default for each status should be taken from $g_set_status_threshold, but if not set, it should 'fall back' to $g_update_bug_status_threshold and not to 'viewer'.
Tags2.0.x check
Attached Files

- Relationships
related to 0011894closeddregad Update issue status in workflow thresholds not working 
related to 0015721closedgrangeway Functionality to consider porting to master-2.0.x 
related to 0007325feedback project dependent "Allow Reporter to close Issue" has no effect, or? 
related to 0016771confirmed workflow configuration 

-  Notes
User avatar (0033185)
dregad (developer)
2012-10-12 17:31

Confirmed.
User avatar (0033186)
dregad (developer)
2012-10-12 18:59

Work-in-progress fix https://github.com/dregad/mantisbt/tree/manage-config-workflow [^]

Testing & feedback welcome
User avatar (0033192)
atrol (developer)
2012-10-14 10:41

The display of the access levels at "Minimum Access Level to Change to this Status" is fine now, but I found some other issues

Test environment:
Clone of https://github.com/dregad/mantisbt, [^] branch manage-config-workflow
Fresh installation without any workflow / status changes in config_inc.php
Created two projects, started every workflow with clean settings (no entries in "Configuration Report)"


Workflow 1:
Project selected: All Projects
Change "Thresholds that Affect Workflow" > "Status to which a new issue is set" from "new" to "acknowledged"
Click "Upgrade Configuration"
The setting is changed as expected and shown with the right color
Bug: The color for rows "new" and "acknowledged" in section "Minimum Access Level to Change to this Status" is also changed.

Workflow 2:
Project selected: All Projects
Change "Minimum Access Level to Change to this Status", row "closed" from "developer" to "manager"
Click "Upgrade Configuration"
The setting is changed as expected and shown with the right color
Click "Upgrade Configuration" without changing anything
Bug: The changed setting is lost

Workflow 3:
Project selected: All Projects
Click "Upgrade Configuration" without changing anything
Bug: You get an entry for "status_enum_workflow" in config_table

I stop testing more workflows

Minor code issue:
One PHPDoc tag in function set_colour_override is wrong
Should be @return instead of @returns
User avatar (0033195)
dregad (developer)
2012-10-15 04:30

Thanks for testing, I'll look into the issues you found
User avatar (0033321)
Goaul (reporter)
2012-10-28 06:06

any new code to test? :)
User avatar (0033324)
dregad (developer)
2012-10-28 06:13

Not yet no, been busy
User avatar (0033325)
dregad (developer)
2012-10-28 13:59
edited on: 2012-10-28 13:59

> Workflow 1:
> Bug: The color for rows "new" and "acknowledged" in section "Minimum Access Level to Change to this Status" is also changed.

The problem is that depending on the value of $g_bug_submit_status ('NEW' by default, but in your test case, set to 'ACKNOWLEDGED'), the access level for the corresponding status is controlled (overridden in fact) by $g_report_bug_threshold instead of $g_set_status_threshold.

Since in a single update operation, the code is both changing $g_bug_submit_status and $g_set_status_threshold, I think what we're seeing is the expected behavior, even though it's a bit confusing.

This is because as part of the update process, $g_report_bug_threshold is actually set to match the access level for $g_bug_submit_status; since this happens *after* setting $g_bug_submit_status, you're effectively preventing REPORTERS from reporting new (i.e. acknowledged) issues, unless you change the access level for status 'ACKNOWLEDGED' to 'REPORTER' before updating. This can easily be confirmed by checking the Manage Workflow Threshold page after the update.

So there is a logical explanation for the 'ACKNOWLEDGED' color change.

For 'NEW', you have to keep in mind that with default configuration, $g_set_status_threshold is defined in config_defaults_inc.php as an empty array, so there is no 'file' value, while at 'global' (all projects) level it's set to 'REPORTER'.

I believe that one possible way to fix this could be to define in config_defaults_inc.php:
$g_set_status_threshold = array( NEW_ => REPORTER );

Let me know what you think.


> Workflow 2:
> Bug: The changed setting is lost

Confirmed; this is due to an initial attempt at fixing case 3 below, which was not completely tested.

> Workflow 3:
> Click "Upgrade Configuration" without changing anything
> Bug: You get an entry for "status_enum_workflow" in config_table

Yep, I had already identified that one, and marked it as a todo in the code. Need to implement a comparison to remove (or avoid setting) the config when matching the default

> One PHPDoc tag in function set_colour_override is wrong
> Should be @return instead of @returns

Good catch, thanks. Fixed.

User avatar (0033329)
dregad (developer)
2012-10-28 19:17

I revised and updated the github branch [1] with a few additional commits that should fix the issues raised by atrol in 0014496:0033192 as per my comments below.

Let me know if you notice any additional issues in testing.

[1] https://github.com/dregad/mantisbt/tree/manage-config-workflow [^]
User avatar (0034441)
dregad (developer)
2012-12-01 06:16

Ported the 1.2.12 changes to master branch
User avatar (0035371)
dregad (developer)
2013-03-04 11:22

CVE-2012-5522 assigned on oss-security mailing list on 2012-11-14
User avatar (0036081)
grangeway (developer)
2013-04-05 17:56

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

- Related Changesets
MantisBT: master-1.2.x d893ca3f
Timestamp: 2012-10-12 22:37:06
Author: dregad
Details ] Diff ]
Manage config workflow page does not reflect actual config

The code did not properly reflect the configuration state when building
the Access Levels form, if the minimum access level was defined using
update_bug_status_threshold and set_status_threshold wass empty, showing
'viewer' for each status except 'new'.

Consequently, saving the page without changes would cause the config to
be saved with all access levels as 'viewer'.

Fixes 0014496
mod - manage_config_workflow_page.php Diff ] File ]
mod - manage_config_workflow_set.php Diff ] File ]
MantisBT: master a4144388
Timestamp: 2012-10-12 22:37:06
Author: dregad
Details ] Diff ]
Manage config workflow page does not reflect actual config

The code did not properly reflect the configuration state when building
the Access Levels form, if the minimum access level was defined using
update_bug_status_threshold and set_status_threshold wass empty, showing
'viewer' for each status except 'new'.

Consequently, saving the page without changes would cause the config to
be saved with all access levels as 'viewer'.

Fixes 0014496
mod - manage_config_workflow_page.php Diff ] File ]
mod - manage_config_workflow_set.php Diff ] File ]
MantisBT: master-1.2.x d982fc99
Timestamp: 2012-10-28 22:47:15
Author: dregad
Details ] Diff ]
Workflow config: delete override if identical to parent

The code in manage_config_workflow_set.php now deletes the config
override for the current project if the new settings are identical to
the parent's (ALL_PROJECTS level if project, or file-level if all
projects).

Follow-up fix for issue 0014496
mod - manage_config_workflow_set.php Diff ] File ]
MantisBT: master c96ca214
Timestamp: 2012-10-28 22:47:15
Author: dregad
Details ] Diff ]
Workflow config: delete override if identical to parent

The code in manage_config_workflow_set.php now deletes the config
override for the current project if the new settings are identical to
the parent's (ALL_PROJECTS level if project, or file-level if all
projects).

Follow-up fix for issue 0014496
mod - manage_config_workflow_set.php Diff ] File ]
MantisBT: master-1.2.x 361089d2
Timestamp: 2012-10-28 23:00:51
Author: dregad
Details ] Diff ]
Define default $g_set_status_threshold for NEW to REPORTER

This prevents incorrect highlighting of NEW status as an override in the
Access Levels section of manage_config_workflow_page.php, when
$g_bug_submit_status is different from default.

Fixes 0014496 (see atrol's bugnote 0014496:0033192 and my follow up in 0014496:0033325)
mod - config_defaults_inc.php Diff ] File ]
MantisBT: master 7c46e287
Timestamp: 2012-10-28 23:00:51
Author: dregad
Details ] Diff ]
Define default $g_set_status_threshold for NEW to REPORTER

This prevents incorrect highlighting of NEW status as an override in the
Access Levels section of manage_config_workflow_page.php, when
$g_bug_submit_status is different from default.

Fixes 0014496 (see atrol's bugnote 0014496:0033192 and my follow up in 0014496:0033325)
mod - config_defaults_inc.php Diff ] File ]

- Issue History
Date Modified Username Field Change
2012-07-19 02:59 TomR New Issue
2012-10-12 17:31 dregad Note Added: 0033185
2012-10-12 17:31 dregad Status new => confirmed
2012-10-12 17:58 dregad Relationship added related to 0011894
2012-10-12 18:59 dregad Note Added: 0033186
2012-10-12 18:59 dregad Assigned To => dregad
2012-10-12 18:59 dregad Status confirmed => assigned
2012-10-14 10:41 atrol Note Added: 0033192
2012-10-15 04:30 dregad Note Added: 0033195
2012-10-19 04:03 dregad Relationship added related to 0007325
2012-10-28 06:06 Goaul Note Added: 0033321
2012-10-28 06:13 dregad Note Added: 0033324
2012-10-28 13:59 dregad Note Added: 0033325
2012-10-28 13:59 dregad Note Edited: 0033325 View Revisions
2012-10-28 19:17 dregad Note Added: 0033329
2012-10-28 19:17 dregad Status assigned => feedback
2012-11-10 19:13 dregad Changeset attached => MantisBT master-1.2.x d893ca3f
2012-11-10 19:13 dregad Changeset attached => MantisBT master-1.2.x d982fc99
2012-11-10 19:13 dregad Changeset attached => MantisBT master-1.2.x 361089d2
2012-11-10 19:13 dregad Status feedback => resolved
2012-11-10 19:13 dregad Resolution open => fixed
2012-11-10 19:13 dregad Fixed in Version => 1.2.13
2012-11-10 19:15 dregad Fixed in Version 1.2.13 => 1.2.12
2012-11-10 19:15 dregad Target Version => 1.2.12
2012-12-01 06:12 dregad Changeset attached => MantisBT master a4144388
2012-12-01 06:12 dregad Changeset attached => MantisBT master c96ca214
2012-12-01 06:12 dregad Changeset attached => MantisBT master 7c46e287
2012-12-01 06:16 dregad Note Added: 0034441
2012-12-23 07:43 atrol Status resolved => closed
2013-03-04 11:20 dregad Summary Workflow Transitions: Minimal Access Level to Change to this status has no correct 'default' => CVE-2012-5522 Workflow Transitions: Minimal Access Level to Change to this status has no correct 'default'
2013-03-04 11:22 dregad Note Added: 0035371
2013-04-05 17:56 grangeway Status closed => acknowledged
2013-04-05 17:56 grangeway Note Added: 0036081
2013-04-05 19:43 grangeway Relationship added related to 0015721
2013-04-06 03:40 dregad Status acknowledged => closed
2013-04-06 07:23 grangeway Status closed => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed
2013-12-30 07:27 atrol Relationship added related to 0016771


MantisBT 1.2.17 [^]
Copyright © 2000 - 2014 MantisBT Team
Time: 0.1233 seconds.
memory usage: 3,156 KB
Powered by Mantis Bugtracker