View Issue Details

IDProjectCategoryView StatusLast Update
0014496mantisbtsecuritypublic2014-12-22 08:23
ReporterTomRAssigned Todregad 
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.8 
Target Version1.2.12Fixed in Version1.2.12 
Summary0014496: CVE-2012-5522 Workflow Transitions: Minimal Access Level to Change to this status has no correct 'default'
Description

Related to 0011894

If you have in your config_inv.php

$g_update_bug_status_threshold = DEVELOPER;
$g_set_status_threshold = array();

you would expect that de defaults in Manage Configuration - Workflow Thresholds would be for every status 'developee'. Instead it shows for ever state ( except 'new' ) 'viewer.
( So when you change the Workflow and 'Saves' it, it also 'Saves' the Access levels ( which has the wrong default ).

In my opinion the default for each status should be taken from $g_set_status_threshold, but if not set, it should 'fall back' to $g_update_bug_status_threshold and not to 'viewer'.

TagsNo tags attached.

Relationships

related to 0011894 closeddregad Update issue status in workflow thresholds not working 
related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 
related to 0007325 feedback project dependent "Allow Reporter to close Issue" has no effect, or? 
related to 0016771 closeddregad workflow configuration 

Activities

dregad

dregad

2012-10-12 17:31

developer   ~0033185

Confirmed.

dregad

dregad

2012-10-12 18:59

developer   ~0033186

Work-in-progress fix https://github.com/dregad/mantisbt/tree/manage-config-workflow

Testing & feedback welcome

atrol

atrol

2012-10-14 10:41

developer   ~0033192

The display of the access levels at "Minimum Access Level to Change to this Status" is fine now, but I found some other issues

Test environment:
Clone of https://github.com/dregad/mantisbt, branch manage-config-workflow
Fresh installation without any workflow / status changes in config_inc.php
Created two projects, started every workflow with clean settings (no entries in "Configuration Report)"

Workflow 1:
Project selected: All Projects
Change "Thresholds that Affect Workflow" > "Status to which a new issue is set" from "new" to "acknowledged"
Click "Upgrade Configuration"
The setting is changed as expected and shown with the right color
Bug: The color for rows "new" and "acknowledged" in section "Minimum Access Level to Change to this Status" is also changed.

Workflow 2:
Project selected: All Projects
Change "Minimum Access Level to Change to this Status", row "closed" from "developer" to "manager"
Click "Upgrade Configuration"
The setting is changed as expected and shown with the right color
Click "Upgrade Configuration" without changing anything
Bug: The changed setting is lost

Workflow 3:
Project selected: All Projects
Click "Upgrade Configuration" without changing anything
Bug: You get an entry for "status_enum_workflow" in config_table

I stop testing more workflows

Minor code issue:
One PHPDoc tag in function set_colour_override is wrong
Should be @return instead of @returns

dregad

dregad

2012-10-15 04:30

developer   ~0033195

Thanks for testing, I'll look into the issues you found

Goaul

Goaul

2012-10-28 06:06

reporter   ~0033321

any new code to test? :)

dregad

dregad

2012-10-28 06:13

developer   ~0033324

Not yet no, been busy

dregad

dregad

2012-10-28 13:59

developer   ~0033325

Last edited: 2012-10-28 13:59

View 2 revisions

Workflow 1:
Bug: The color for rows "new" and "acknowledged" in section "Minimum Access Level to Change to this Status" is also changed.

The problem is that depending on the value of $g_bug_submit_status ('NEW' by default, but in your test case, set to 'ACKNOWLEDGED'), the access level for the corresponding status is controlled (overridden in fact) by $g_report_bug_threshold instead of $g_set_status_threshold.

Since in a single update operation, the code is both changing $g_bug_submit_status and $g_set_status_threshold, I think what we're seeing is the expected behavior, even though it's a bit confusing.

This is because as part of the update process, $g_report_bug_threshold is actually set to match the access level for $g_bug_submit_status; since this happens after setting $g_bug_submit_status, you're effectively preventing REPORTERS from reporting new (i.e. acknowledged) issues, unless you change the access level for status 'ACKNOWLEDGED' to 'REPORTER' before updating. This can easily be confirmed by checking the Manage Workflow Threshold page after the update.

So there is a logical explanation for the 'ACKNOWLEDGED' color change.

For 'NEW', you have to keep in mind that with default configuration, $g_set_status_threshold is defined in config_defaults_inc.php as an empty array, so there is no 'file' value, while at 'global' (all projects) level it's set to 'REPORTER'.

I believe that one possible way to fix this could be to define in config_defaults_inc.php:

$g_set_statusthreshold = array( NEW => REPORTER );

Let me know what you think.

Workflow 2:
Bug: The changed setting is lost

Confirmed; this is due to an initial attempt at fixing case 3 below, which was not completely tested.

Workflow 3:
Click "Upgrade Configuration" without changing anything
Bug: You get an entry for "status_enum_workflow" in config_table

Yep, I had already identified that one, and marked it as a todo in the code. Need to implement a comparison to remove (or avoid setting) the config when matching the default

One PHPDoc tag in function set_colour_override is wrong
Should be @return instead of @returns

Good catch, thanks. Fixed.

dregad

dregad

2012-10-28 19:17

developer   ~0033329

I revised and updated the github branch [1] with a few additional commits that should fix the issues raised by atrol in 0014496:0033192 as per my comments below.

Let me know if you notice any additional issues in testing.

[1] https://github.com/dregad/mantisbt/tree/manage-config-workflow

dregad

dregad

2012-12-01 06:16

developer   ~0034441

Ported the 1.2.12 changes to master branch

dregad

dregad

2013-03-04 11:22

developer   ~0035371

CVE-2012-5522 assigned on oss-security mailing list on 2012-11-14

grangeway

grangeway

2013-04-05 17:56

reporter   ~0036081

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets

MantisBT: master-1.2.x d893ca3f

2012-10-12 22:37:06

dregad

Details Diff
Manage config workflow page does not reflect actual config

The code did not properly reflect the configuration state when building
the Access Levels form, if the minimum access level was defined using
update_bug_status_threshold and set_status_threshold wass empty, showing
'viewer' for each status except 'new'.

Consequently, saving the page without changes would cause the config to
be saved with all access levels as 'viewer'.

Fixes 0014496
mod - manage_config_workflow_page.php Diff File
mod - manage_config_workflow_set.php Diff File

MantisBT: master a4144388

2012-10-12 22:37:06

dregad

Details Diff
Manage config workflow page does not reflect actual config

The code did not properly reflect the configuration state when building
the Access Levels form, if the minimum access level was defined using
update_bug_status_threshold and set_status_threshold wass empty, showing
'viewer' for each status except 'new'.

Consequently, saving the page without changes would cause the config to
be saved with all access levels as 'viewer'.

Fixes 0014496
mod - manage_config_workflow_page.php Diff File
mod - manage_config_workflow_set.php Diff File

MantisBT: master-1.2.x d982fc99

2012-10-28 22:47:15

dregad

Details Diff
Workflow config: delete override if identical to parent

The code in manage_config_workflow_set.php now deletes the config
override for the current project if the new settings are identical to
the parent's (ALL_PROJECTS level if project, or file-level if all
projects).

Follow-up fix for issue 0014496
mod - manage_config_workflow_set.php Diff File

MantisBT: master c96ca214

2012-10-28 22:47:15

dregad

Details Diff
Workflow config: delete override if identical to parent

The code in manage_config_workflow_set.php now deletes the config
override for the current project if the new settings are identical to
the parent's (ALL_PROJECTS level if project, or file-level if all
projects).

Follow-up fix for issue 0014496
mod - manage_config_workflow_set.php Diff File

MantisBT: master-1.2.x 361089d2

2012-10-28 23:00:51

dregad

Details Diff
Define default $g_set_status_threshold for NEW to REPORTER

This prevents incorrect highlighting of NEW status as an override in the
Access Levels section of manage_config_workflow_page.php, when
$g_bug_submit_status is different from default.

Fixes 0014496 (see atrol's bugnote 0014496:0033192 and my follow up in 0014496:0033325)
mod - config_defaults_inc.php Diff File

MantisBT: master 7c46e287

2012-10-28 23:00:51

dregad

Details Diff
Define default $g_set_status_threshold for NEW to REPORTER

This prevents incorrect highlighting of NEW status as an override in the
Access Levels section of manage_config_workflow_page.php, when
$g_bug_submit_status is different from default.

Fixes 0014496 (see atrol's bugnote 0014496:0033192 and my follow up in 0014496:0033325)
mod - config_defaults_inc.php Diff File

Issue History

Date Modified Username Field Change
2012-07-19 02:59 TomR New Issue
2012-10-12 17:31 dregad Note Added: 0033185
2012-10-12 17:31 dregad Status new => confirmed
2012-10-12 17:58 dregad Relationship added related to 0011894
2012-10-12 18:59 dregad Note Added: 0033186
2012-10-12 18:59 dregad Assigned To => dregad
2012-10-12 18:59 dregad Status confirmed => assigned
2012-10-14 10:41 atrol Note Added: 0033192
2012-10-15 04:30 dregad Note Added: 0033195
2012-10-19 04:03 dregad Relationship added related to 0007325
2012-10-28 06:06 Goaul Note Added: 0033321
2012-10-28 06:13 dregad Note Added: 0033324
2012-10-28 13:59 dregad Note Added: 0033325
2012-10-28 13:59 dregad Note Edited: 0033325 View Revisions
2012-10-28 19:17 dregad Note Added: 0033329
2012-10-28 19:17 dregad Status assigned => feedback
2012-11-10 19:13 dregad Changeset attached => MantisBT master-1.2.x d893ca3f
2012-11-10 19:13 dregad Changeset attached => MantisBT master-1.2.x d982fc99
2012-11-10 19:13 dregad Changeset attached => MantisBT master-1.2.x 361089d2
2012-11-10 19:13 dregad Status feedback => resolved
2012-11-10 19:13 dregad Resolution open => fixed
2012-11-10 19:13 dregad Fixed in Version => 1.2.13
2012-11-10 19:15 dregad Fixed in Version 1.2.13 => 1.2.12
2012-11-10 19:15 dregad Target Version => 1.2.12
2012-12-01 06:12 dregad Changeset attached => MantisBT master a4144388
2012-12-01 06:12 dregad Changeset attached => MantisBT master c96ca214
2012-12-01 06:12 dregad Changeset attached => MantisBT master 7c46e287
2012-12-01 06:16 dregad Note Added: 0034441
2012-12-23 07:43 atrol Status resolved => closed
2013-03-04 11:20 dregad Summary Workflow Transitions: Minimal Access Level to Change to this status has no correct 'default' => CVE-2012-5522 Workflow Transitions: Minimal Access Level to Change to this status has no correct 'default'
2013-03-04 11:22 dregad Note Added: 0035371
2013-04-05 17:56 grangeway Status closed => acknowledged
2013-04-05 17:56 grangeway Note Added: 0036081
2013-04-05 19:43 grangeway Relationship added related to 0015721
2013-04-06 03:40 dregad Status acknowledged => closed
2013-04-06 07:23 grangeway Status closed => acknowledged
2013-04-06 09:22 dregad Tag Attached: 2.0.x check
2013-04-06 09:23 dregad Status acknowledged => closed
2013-12-30 07:27 atrol Relationship added related to 0016771
2014-09-23 18:05 grangeway Tag Detached: 2.0.x check