Changesets: MantisBT
master-1.2.x 0bff06ec 2014-10-30 14:04 Paul Richards Committer: dregad Details Diff |
Fix 0017583: XSS in projax_api.php Offensive Security reported this issue via their bug bounty program [1]. The Projax library does not properly escape html strings. An attacker could take advantage of this to perform an XSS attack using the profile/Platform field. [1] http://www.offensive-security.com/bug-bounty-program/ Signed-off-by: Damien Regad <dregad@mantisbt.org> |
Affected Issues 0017583 |
|
mod - core/projax_api.php | Diff File | ||
master ee419986 2014-10-30 08:01 Details Diff |
Added badge for Travis build health to readme file | ||
mod - readme.md | Diff File | ||
master 5faf97ab 2014-10-30 06:31 Details Diff |
SQL injection in mc_project_get_attachments() This is a follow-up on CVE-2014-1609 / issue 0016880. Edwin Gozeling and Wim Visser from ITsec Security Services BV (http://www.itsec.nl) discovered that the fix in 0016880 did not fully address the problem. Their research demonstrate that using a specially crafted project id parameter, an attacker could still perform an SQL injection. The same issue was also reported by Paul Richards in issue 0017823. This patch fixes the problem by typecasting the Project ID parameter to Integer. Fixes 0017812, CVE-2014-8554 |
Affected Issues 0016880, 0017812, 0017823 |
|
mod - api/soap/mc_project_api.php | Diff File | ||
master-1.2.x 99ffb0af 2014-10-30 06:31 Details Diff |
SQL injection in mc_project_get_attachments() This is a follow-up on CVE-2014-1609 / issue 0016880. Edwin Gozeling and Wim Visser from ITsec Security Services BV (http://www.itsec.nl) discovered that the fix in 0016880 did not fully address the problem. Their research demonstrate that using a specially crafted project id parameter, an attacker could still perform an SQL injection. The same issue was also reported by Paul Richards in issue 0017823. This patch fixes the problem by typecasting the Project ID parameter to Integer. Fixes 0017812, CVE-2014-8554 |
Affected Issues 0016880, 0017812, 0017823 |
|
mod - api/soap/mc_project_api.php | Diff File | ||
master 747249b8 2014-10-29 19:27 Details Diff |
Merge pull request 0000515 from vboctor/Issue17658 Fix "Workflow Transitions" override marking |
||
mod - manage_config_work_threshold_page.php | Diff File | ||
mod - manage_config_workflow_page.php | Diff File | ||
mod - manage_config_workflow_set.php | Diff File | ||
master 423a7752 2014-10-28 07:04 Details Diff |
Merge branch 'Issue16993_SoapHandlerCheck' | ||
mod - api/soap/mc_issue_api.php | Diff File | ||
master 82120dbc 2014-10-27 09:56 Details Diff |
Localisation updates from https://translatewiki.net. | ||
mod - lang/strings_breton.txt | Diff File | ||
mod - lang/strings_czech.txt | Diff File | ||
mod - lang/strings_japanese.txt | Diff File | ||
master e9863188 2014-10-27 08:12 Details Diff |
Don't update user last visited on auto-refresh This change uses a refresh=true GET parameters on pages that auto-refresh. This way actions like the following only trigger on real user activity: User last visited (native) Google Analytics (plugin). There could be other cases, but these cases demonstrate the need. Fixes 0017752 |
Affected Issues 0017752 |
|
mod - core/html_api.php | Diff File | ||
mod - my_view_page.php | Diff File | ||
mod - view_all_bug_page.php | Diff File | ||
master f5bd6a59 2014-10-26 19:46 Rafik Robeal Details Diff |
Fix layout in summary page when there is no submenu | ||
mod - account_page.php | Diff File | ||
mod - account_prof_menu_page.php | Diff File | ||
mod - core/html_api.php | Diff File | ||
mod - manage_config_workflow_page.php | Diff File | ||
mod - summary_page.php | Diff File | ||
master 26cd8c7c 2014-10-26 00:24 Details Diff |
Fix basic auth for soap This is a modified version of the suggestion by neowizdom on the bug. Fixes 0017455 |
Affected Issues 0017455 |
|
mod - core/authentication_api.php | Diff File | ||
master 481ba094 2014-10-25 23:31 Details Diff |
Show time tracking on print issue page This change includes the following fixes: - Use bugnote API in print issue page. - Add time tracking information in print issue page. - Use bold for both reminders and time tracking, rather than one bold and one italics. - Remove fixup of bugnote type to TIME_TRACKING in API rather than in calling code. Fixes 0017410 |
Affected Issues 0017410 |
|
mod - bugnote_view_inc.php | Diff File | ||
mod - core/bugnote_api.php | Diff File | ||
mod - print_bugnote_inc.php | Diff File | ||
master 1c1c29eb 2014-10-25 21:58 Details Diff |
Hide news permissions when disabled The news related permissions should be hidden when the feature is disabled. |
||
mod - adm_permissions_report.php | Diff File | ||
master 9eb242a7 2014-10-25 21:16 Details Diff |
Fix showing of workflow transitions The workflow transition were not being shown due to accessing the wrong variables when rendering the page. Fixes 0017658 |
Affected Issues 0017658 |
|
mod - manage_config_workflow_page.php | Diff File | ||
master 3b6cc00c 2014-10-25 21:14 Details Diff |
Fix php error for undefined t_workflow variable | ||
mod - manage_config_workflow_set.php | Diff File | ||
master 903aab1a 2014-10-25 19:13 Rafik Robeal Details Diff |
Show 'Upgrade your instance' tab in admin index page when applicable. | ||
mod - core/html_api.php | Diff File | ||
master fd0c1188 2014-10-25 18:39 Rafik Robeal Details Diff |
Add config defaults missed from latest merge | ||
mod - config_defaults_inc.php | Diff File | ||
master 685a9dda 2014-10-25 18:13 The Gitter Badger Committer: vboctor Details Diff |
Added Gitter badge | ||
mod - readme.md | Diff File | ||
master cb23fb24 2014-10-25 11:56 Details Diff |
Fix php errors with filters This fixes the php errors that occur when clicking on View State, Match Type, and Highlight Changed. The change includes: - When a filter is retrieved for a user, if the user doesn't have a filter or something is wrong with it, return default fitler. - Move access to $g_filter into the filter_api and introduce filter_init() API. Default $g_filter in filter_api as well. - View State initialization should use correct type to avoid type mismatch in check_selected(). Fixes 0017654 |
Affected Issues 0017654 |
|
mod - core/current_user_api.php | Diff File | ||
mod - core/filter_api.php | Diff File | ||
mod - core/user_api.php | Diff File | ||
mod - return_dynamic_filters.php | Diff File | ||
mod - view_all_inc.php | Diff File | ||
mod - view_filters_page.php | Diff File | ||
master f8c57d4f 2014-10-25 10:31 Details Diff |
Fix php error in error_api | ||
mod - core/error_api.php | Diff File | ||
master 49a89ed5 2014-10-24 22:16 Details Diff |
Fix assoc array handling in config page This issue likely affected integer handling in general. The fix tackles the following: - Detect and handle properly numeric strings. - Don't do constant replacements when the constants are enclosed in quotation marks. - Variable name fix. Fixes 0017533 |
Affected Issues 0017533 |
|
mod - adm_config_set.php | Diff File | ||
pr 631e07b0 2014-10-24 19:28 Details Diff |
Add check for default move category Add a configuration check to make sure that default_category_for_moves config option points to a valid category. |
||
mod - admin/check/check_config_inc.php | Diff File | ||
pr cffbd04a 2014-10-24 19:13 Details Diff |
Remove troubleshooting for invalid category The code now handles this gracefully and we don't need the complex troubleshooting section. |
||
mod - docbook/Admin_Guide/en-US/Troubleshooting.xml | Diff File | ||
pr 7489d321 2014-10-24 19:09 Details Diff |
Fix category does not exist error If we get into a state where a category doesn't exist then we end up in a denial of service state. This impacts pages like My View, View Issues, and others. We can get into this state due to several cases that we should fix. However, there is no reason why we won't handle them like we handle unknown enumerations. This change adds a category_exists check in category_full_name() api, and changes category_exists to populate the cache to not incur extra overhead. Fixes 0015420 |
||
mod - core/category_api.php | Diff File | ||
master 614b3196 2014-10-23 22:37 Rafik Robeal Details Diff |
Fix duplicate submenu after merge | ||
mod - adm_config_report.php | Diff File | ||
mod - adm_permissions_report.php | Diff File | ||
mod - manage_config_columns_page.php | Diff File | ||
mod - manage_config_email_page.php | Diff File | ||
mod - manage_config_work_threshold_page.php | Diff File | ||
mod - manage_config_workflow_page.php | Diff File | ||
mod - manage_custom_field_page.php | Diff File | ||
mod - manage_plugin_page.php | Diff File | ||
mod - manage_user_page.php | Diff File | ||
master ec9246ea 2014-10-23 22:27 Rafik Robeal Details Diff |
Fix install page for creating new database | ||
mod - admin/install.php | Diff File | ||
mod - config_defaults_inc.php | Diff File | ||
mod - core/columns_api.php | Diff File | ||
mod - core/html_api.php | Diff File | ||
mod - manage_proj_create_page.php | Diff File |