0021194: Partially hardcoded path for CSS-file - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0021194	mantisbt	administration	public	2016-07-04 10:15	2016-07-09 19:28

Reporter	atrol	Assigned To	dregad
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Target Version	1.3.0	Fixed in Version	1.3.0

Summary	0021194: Partially hardcoded path for CSS-file
Description	Since commit 2dc8409eb9d53fcbee2a9b1051e95c06724897c8 it is no longer possible to store a customized css-file in any folder you want. There is a hardcoded string "css" in function html_css_link which prevents you from setting $g_css_include_file to something like "config/my.css" Users will get errors after upgrading from 1.2 if they have set $g_css_include_file in their config_inc.php. Of course, they will also get other problems (strange UI) when using a tweaked 1.2 CSS in 1.3, but that's another story.
Tags	No tags attached.

atrol 2016-07-04 10:16 developer ~0053502	@dregad, @vboctor Not sure, this might be a blocking issue for 1.3.0.

atrol 2016-07-05 02:55 developer ~0053512	Changing severity to "major" to get it on list of potential blocking issues (filter "Blocking v.1.3 issues")

dregad 2016-07-08 09:05 developer ~0053537	prevents you from setting $g_css_include_file to something like "config/my.css" ... which is probably not something you should do anyway, since the config/ directory contains files with sensitive information (db user & password, etc), and for this reason is protected with an .htaccess file by default. Anyway, see PR https://github.com/mantisbt/mantisbt/pull/813 for the proposed fix.

atrol 2016-07-08 09:32 developer ~0053540	which is probably not something you should do anyway We introduced the config folder some while ago in 1.3. I thought one of the reasons for it was to have no configuration files or customizations like custom_constants_inc.php in root folder. So the default setting for $g_config_path is the config folder. At the moment I don't understand the difference between my.css and custom_constants_inc.php related to protection by .htaccess Could you please explain?

dregad 2016-07-08 10:30 developer ~0053541	difference between my.css and custom_constants_inc.php related to protection by .htaccess custom_constants_inc.php is included server-side (via core.php). css files must be accessible client-side by the user's browser. Protecting the config/ directory with .htaccess is belt and braces since PHP files are theoretically always interpreted by the web server if configured properly (and therefore not downloadable "raw"), but I guess it's better to be safe than sorry.

MantisBT: master-1.3.x 1643e474 2016-07-07 08:03 dregad Committer: vboctor Details Diff	Only prepend 'css/' when given a filename without path Commit 1819bbdf8c2d629798fa48537f9bb167e8d33005 introduced new html_css_link() function to include CSS files, but made the assumption that these would always be in the css/ directory. This lets the admin specify $g_css_include_file with a path, allowing them to store custom CSS in a different location within the MantisBT root. Fixes 0021194		Affected Issues 0021194
	mod - core/html_api.php		Diff File
MantisBT: master 9becc32d 2016-07-07 08:03 dregad Committer: vboctor Details Diff	Only prepend 'css/' when given a filename without path Commit 1819bbdf8c2d629798fa48537f9bb167e8d33005 introduced new html_css_link() function to include CSS files, but made the assumption that these would always be in the css/ directory. This lets the admin specify $g_css_include_file with a path, allowing them to store custom CSS in a different location within the MantisBT root. Fixes 0021194		Affected Issues 0021194
	mod - core/html_api.php		Diff File