View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0021194 | mantisbt | administration | public | 2016-07-04 10:15 | 2016-07-09 19:28 |
Reporter | atrol | Assigned To | dregad | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Target Version | 1.3.0 | Fixed in Version | 1.3.0 | ||
Summary | 0021194: Partially hardcoded path for CSS-file | ||||
Description | Since commit 2dc8409eb9d53fcbee2a9b1051e95c06724897c8 it is no longer possible to store a customized css-file in any folder you want. There is a hardcoded string "css" in function html_css_link which prevents you from setting $g_css_include_file to something like "config/my.css" Users will get errors after upgrading from 1.2 if they have set $g_css_include_file in their config_inc.php. Of course, they will also get other problems (strange UI) when using a tweaked 1.2 CSS in 1.3, but that's another story. | ||||
Tags | No tags attached. | ||||
@dregad, @vboctor |
|
Changing severity to "major" to get it on list of potential blocking issues (filter "Blocking v.1.3 issues") |
|
... which is probably not something you should do anyway, since the config/ directory contains files with sensitive information (db user & password, etc), and for this reason is protected with an .htaccess file by default. Anyway, see PR https://github.com/mantisbt/mantisbt/pull/813 for the proposed fix. |
|
At the moment I don't understand the difference between my.css and custom_constants_inc.php related to protection by .htaccess |
|
custom_constants_inc.php is included server-side (via core.php). css files must be accessible client-side by the user's browser. Protecting the config/ directory with .htaccess is belt and braces since PHP files are theoretically always interpreted by the web server if configured properly (and therefore not downloadable "raw"), but I guess it's better to be safe than sorry. |
|
MantisBT: master-1.3.x 1643e474 2016-07-07 08:03 Committer: vboctor Details Diff |
Only prepend 'css/' when given a filename without path Commit 1819bbdf8c2d629798fa48537f9bb167e8d33005 introduced new html_css_link() function to include CSS files, but made the assumption that these would always be in the css/ directory. This lets the admin specify $g_css_include_file with a path, allowing them to store custom CSS in a different location within the MantisBT root. Fixes 0021194 |
Affected Issues 0021194 |
|
mod - core/html_api.php | Diff File | ||
MantisBT: master 9becc32d 2016-07-07 08:03 Committer: vboctor Details Diff |
Only prepend 'css/' when given a filename without path Commit 1819bbdf8c2d629798fa48537f9bb167e8d33005 introduced new html_css_link() function to include CSS files, but made the assumption that these would always be in the css/ directory. This lets the admin specify $g_css_include_file with a path, allowing them to store custom CSS in a different location within the MantisBT root. Fixes 0021194 |
Affected Issues 0021194 |
|
mod - core/html_api.php | Diff File |