Changesets: MantisBT

master 11ab3d6c

2016-05-27 05:39:58

dregad

Details Diff
Fix XSS in custom fields management

Kacper Szurek (http://security.szurek.pl/) discovered an XSS
vulnerability in Custom fields management pages, caused by unescaped
output of 'return URL' GPC parameter. His report describes two ways to
exploit this issue:

1. using 'accesskey' inside hidden input field (see [1]) reflects XSS to
the administrator in manage_custom_field_edit_page.php when the
keyboard shortcut is actioned
2. using 'javascript:' URI scheme executes the code when the user clicks
the [Proceed] link on manage_custom_field_update.php after updating
a custom field

This commit fixes both attack vectors:

- properly escape the return URL prior to printing it on the hidden form
field
- let html_operation_successful() sanitize the URL before displaying
it, just like html_meta_redirect() does. In this case, if the
string contains an URI scheme, it will be replaced by 'index.php'

[1] http://blog.portswigger.net/2015/11/xss-in-hidden-input-fields.html

Fixes 0020956
Affected Issues
0020956, 0021090
mod - core/html_api.php Diff File
mod - manage_custom_field_edit_page.php Diff File

master ef2628e1

2016-05-24 06:27:45

dregad

Details Diff
Let Timeline handle non-existing bugs

If an history entry refers to a bug that does not exist in the database,
history_get_event_from_row() throws application error 1100.

Even though it is not a normal situation to find orphan records in the
history table, the overhead of verifying a bug's existence at the
beginning of the loop is negligible, so it doesn't hurt to add the extra
bug_exists() check.

Fixes 0020727
Affected Issues
0020727
mod - core/history_api.php Diff File

master 4d46f8e3

2016-05-24 06:27:10

dregad

Details Diff
PHPDoc: fix incorrect param type
Attach Issues:
mod - core/history_api.php Diff File

master 7795b302

2016-05-23 16:04:11

dregad

Details Diff
Upgrade jQuery from v1.11.3 to v1.12.4

Fixes 0021059
Affected Issues
0021059
mod - core/constant_inc.php Diff File
rm - js/jquery-1.11.3.min.js Diff File
add - js/jquery-1.12.4.min.js Diff File

master e753cca6

2016-05-23 15:54:11

dregad

Details Diff
Use JQUERY_VERSION constant in install.php

Commit fc9a3320815f8341236cb7bf0c41855227a3c8c3 missed one occurence of
jQuery version number.

Issue 0019932
Affected Issues
0019932, 0021059
mod - admin/install.php Diff File

master f3ab14c5

2016-05-23 05:54:07

dregad

Details Diff
Use correct function name db_param_push()

Commit fbc379faaf27e6b853c8b08ac380834836b81032 referenced the wrong
name db_push_param().

Issue 0020479
Affected Issues
0020479
mod - core/user_api.php Diff File

master fa4f7950

2016-05-23 03:57:04

siebrand

Details Diff
Localisation updates from https://translatewiki.net.
Attach Issues:
mod - lang/strings_arabic.txt Diff File
mod - lang/strings_asturian.txt Diff File
mod - lang/strings_belarusian_tarask.txt Diff File
mod - lang/strings_chinese_simplified.txt Diff File
mod - lang/strings_dutch.txt Diff File
mod - lang/strings_french.txt Diff File
mod - lang/strings_galician.txt Diff File
mod - lang/strings_german.txt Diff File
mod - lang/strings_hebrew.txt Diff File
mod - lang/strings_hungarian.txt Diff File
mod - lang/strings_italian.txt Diff File
mod - lang/strings_korean.txt Diff File
mod - lang/strings_lithuanian.txt Diff File
mod - lang/strings_macedonian.txt Diff File
mod - lang/strings_ripoarisch.txt Diff File
mod - lang/strings_russian.txt Diff File
mod - lang/strings_serbian.txt Diff File
mod - lang/strings_serbian_latin.txt Diff File
mod - lang/strings_spanish.txt Diff File
mod - lang/strings_swedish.txt Diff File
mod - lang/strings_ukrainian.txt Diff File
mod - plugins/MantisCoreFormatting/lang/strings_arabic.txt Diff File
mod - plugins/MantisGraph/lang/strings_korean.txt Diff File
mod - plugins/MantisGraph/lang/strings_spanish.txt Diff File
mod - plugins/XmlImportExport/lang/strings_arabic.txt Diff File

master bf7f07ff

2016-05-22 03:52:58

Peter Dave Hello


Committer: dregad Details Diff
optimize png images losslessly using zopflipng
Attach Issues:
mod - docbook/Admin_Guide/en-US/images/mantis_logo.png Diff File
mod - docbook/Developers_Guide/en-US/images/erd.png Diff File
mod - docbook/Developers_Guide/en-US/images/mantis_logo.png Diff File
mod - images/mantis_logo.png Diff File
mod - images/mantis_logo_notext.png Diff File
mod - images/rel_dependant.png Diff File
mod - images/rel_duplicate.png Diff File
mod - images/rel_related.png Diff File

master b6f81949

2016-05-21 04:19:28

dregad

Details Diff
Consistently push query params in all APIs

Fixes 0020479, https://github.com/mantisbt/mantisbt/pull/705
Affected Issues
0020479
mod - core/access_api.php Diff File
mod - core/api_token_api.php Diff File
mod - core/authentication_api.php Diff File
mod - core/billing_api.php Diff File
mod - core/bug_api.php Diff File
mod - core/bug_revision_api.php Diff File
mod - core/bugnote_api.php Diff File
mod - core/category_api.php Diff File
mod - core/cfdefs/cfdef_standard.php Diff File
mod - core/config_api.php Diff File
mod - core/custom_field_api.php Diff File
mod - core/database_api.php Diff File
mod - core/email_api.php Diff File
mod - core/email_queue_api.php Diff File
mod - core/file_api.php Diff File
mod - core/filter_api.php Diff File
mod - core/history_api.php Diff File
mod - core/install_helper_functions_api.php Diff File
mod - core/news_api.php Diff File
mod - core/plugin_api.php Diff File
mod - core/print_api.php Diff File
mod - core/profile_api.php Diff File
mod - core/project_api.php Diff File
mod - core/project_hierarchy_api.php Diff File
mod - core/relationship_api.php Diff File
mod - core/sponsorship_api.php Diff File
mod - core/summary_api.php Diff File
mod - core/tag_api.php Diff File
mod - core/tokens_api.php Diff File
mod - core/user_api.php Diff File
mod - core/user_pref_api.php Diff File
mod - core/version_api.php Diff File

master c8da8877

2016-05-21 04:12:10

dregad

Details Diff
Update securimage captcha library to 3.6.4

Fixes 0021057
Affected Issues
0021057
mod - library/README.md Diff File
mod - library/securimage Diff File

master b5244009

2016-05-21 04:11:12

dregad

Details Diff
Update PHPMailer library to 5.2.15

Fixes 0021056
Affected Issues
0021056
mod - library/README.md Diff File
mod - library/phpmailer Diff File

master 58ca803c

2016-05-21 04:09:51

dregad

Details Diff
Update ADOdb library to 5.20.4

Fixes 0021055
Affected Issues
0021055
mod - library/README.md Diff File
mod - library/adodb Diff File

master e6993795

2016-05-19 09:00:27

atrol

Details Diff
Enhance access level display

Prior to this, the access level display in bugnotes was (@0@) if the
user who added the note did not have access to the project. This
situation can happen when an issue is moved to a private project, or
when a user's rights to a private project are revoked.
This is similar to the fix for 0011923, but
- affects also email notification
- displays "no access" for existing users instead of displaying nothing

Fixes 0020897
Affected Issues
0020897
mod - bugnote_view_inc.php Diff File
mod - core/access_api.php Diff File
mod - core/email_api.php Diff File
mod - lang/strings_english.txt Diff File

master df2f9089

2016-05-18 23:43:18

vboctor

Details Diff
Fix formating of clone button in adm_config_report
Attach Issues:
mod - adm_config_report.php Diff File

master 31f96d41

2016-05-18 23:35:58

vboctor

Details Diff
Fix issue notes in print issue page
Attach Issues:
mod - print_bug_page.php Diff File

master 053a274b

2016-05-18 22:39:07

vboctor

Details Diff
Fix broken text in polish translation
Attach Issues:
mod - lang/strings_polish.txt Diff File

master 73f2cf8c

2016-05-16 13:29:08

cproensa


Committer: dregad Details Diff
Add account menu in api tokens page

Add the account menu to the API tokens manage page (this page is one
of the items in that menu). Now the layout is consistent with the
other account manage pages.

API tokens page was originally implemented in issue 0017766

Fixes 0020943
Affected Issues
0017766, 0020943
mod - api_tokens_page.php Diff File

master f7b11528

2016-05-16 13:19:42

cproensa


Committer: dregad Details Diff
Remove old code from account_page

After the new functionality of verify.php page was implemented (see
issue 0020686), account_page is no longer included, and some old code can
be removed.
Affected Issues
0020686
mod - account_page.php Diff File

master-1.2.x b8d5d85c

2016-05-16 08:09:53

atrol

Details Diff
Correct variable name in admin guide

Fixes 0020915
Affected Issues
0020915
mod - docbook/administration_guide/en/configuration.sgml Diff File

master 15885b10

2016-05-15 16:01:14

Kirill

Details Diff
Replace fa-angle-down and fa-angle-up with fa-chevron-down and fa-chevron-
Attach Issues:
mod - config_defaults_inc.php Diff File

master 67ee7b65

2016-05-15 12:26:36

dregad

Details Diff
Add missing 'email_due_date' language string

Commit 0fd3ba13f2557c18c961139a795eda9d85810686 referenced a new string
but did not define it.

Fixes 0020806
Affected Issues
0020806
mod - lang/strings_english.txt Diff File

master e0f91162

2016-05-15 11:45:48

dregad

Details Diff
Doc: swap xmlns:xi and href attributes

This improves readability of the document by aligning include names
Attach Issues:
mod - docbook/Admin_Guide/en-US/Configuration.xml Diff File

master 55a34cef

2016-05-15 11:42:54

dregad

Details Diff
Doc: add Configuration intro section and reword

Issue 0020880
Affected Issues
0020880
mod - docbook/Admin_Guide/en-US/Configuration.xml Diff File

master a11f41ad

2016-05-15 09:57:11

dregad

Details Diff
Travis: restore all build scenarios

Forgot to remove the comments I put in place to test the fixes for
issue 0020910 prior to pushing.
Affected Issues
0020910
mod - .travis.yml Diff File

master 837d9a60

2016-05-15 09:20:48

dregad

Details Diff
Travis: use Ruby instead of PHP when building Docbook

PHP is not preinstalled on Travis test containers, so using it as the
base language forces its installation even though we do not use it.

This commit sets the language to Ruby for Docbook builds, making them
15-30 seconds faster.

Before: 1'34" - https://travis-ci.org/dregad/mantisbt/jobs/130374467
After: 1'14" - https://travis-ci.org/dregad/mantisbt/jobs/130377992

Fixes 0020910
Affected Issues
0020910
mod - .travis.yml Diff File
 First  Prev  1 2 3 ... 60 ... 117 118 119 120 121 122 123 ... 180 ... 240 ... 300 ... 360 ... 420 ... 480 ... 540 ... 600 ... 631 632 633  Next  Last