Changesets: MantisBT
|
master a24c89ef 2026-05-11 08:08 translatewiki.net Details Diff |
Localisation updates from https://translatewiki.net. [skip ci] | ||
| mod - lang/strings_belarusian_tarask.txt | Diff File | ||
| mod - lang/strings_dutch.txt | Diff File | ||
| add - plugins/Gravatar/lang/strings_az.txt | Diff File | ||
|
master 255cd957 2026-05-10 10:00 Committer: community Details Diff |
Added openssl requirement to installation documentation Fixes 0037112, https://github.com/mantisbt/mantisbt/pull/2214 |
Affected Issues 0037112 |
|
| mod - docbook/Admin_Guide/en-US/Installation.xml | Diff File | ||
|
master 6fce5960 2026-05-09 20:50 Committer: community Details Diff |
Remove the issue update when watchers change Calls to the bug_update_date() function have been removed from the bug_monitor() and bug_unmonitor() functions. Fixes 0010857, PR https://github.com/mantisbt/mantisbt/pull/2213 |
Affected Issues 0010857 |
|
| mod - core/bug_api.php | Diff File | ||
|
master dcbcf9eb 2026-05-09 20:46 Committer: community Details Diff |
Add 'Date Created' and 'Last Visit' info to Manage User Edit page Fixes 0037111, PR https://github.com/mantisbt/mantisbt/pull/2216 |
Affected Issues 0037111 |
|
| mod - manage_user_edit_page.php | Diff File | ||
|
master 5625214a 2026-05-09 06:53 Details Diff |
Merge tag 'release-2.28.2' Stable release 2.28.2 # Conflicts: # api/rest/mantisbt_openapi.yaml # core/constant_inc.php |
||
| mod - account_prefs_update.php | Diff File | ||
| mod - account_prof_update.php | Diff File | ||
| mod - admin/move_attachments_page.php | Diff File | ||
| mod - api/soap/mc_file_api.php | Diff File | ||
| mod - api/soap/mc_issue_api.php | Diff File | ||
| mod - bug_report_page.php | Diff File | ||
| mod - core/access_api.php | Diff File | ||
| mod - core/cfdefs/cfdef_standard.php | Diff File | ||
| mod - core/commands/IssueFileGetCommand.php | Diff File | ||
| mod - core/commands/MonitorAddCommand.php | Diff File | ||
| mod - core/commands/ProjectUsersAddCommand.php | Diff File | ||
| mod - core/date_api.php | Diff File | ||
| mod - core/file_api.php | Diff File | ||
| mod - core/filter_form_api.php | Diff File | ||
| mod - core/helper_api.php | Diff File | ||
| mod - core/layout_api.php | Diff File | ||
| mod - core/print_api.php | Diff File | ||
| mod - file_download.php | Diff File | ||
| mod - login.php | Diff File | ||
| mod - login_page.php | Diff File | ||
| mod - login_password_page.php | Diff File | ||
| mod - manage_filter_page.php | Diff File | ||
| mod - return_dynamic_filters.php | Diff File | ||
| mod - tag_update_page.php | Diff File | ||
|
master-2.28 399605af 2026-05-09 06:44 Details Diff |
Bump version to 2.28.2 | ||
| mod - api/rest/mantisbt_openapi.yaml | Diff File | ||
| mod - core/constant_inc.php | Diff File | ||
|
master-2.28 9e3bee2e 2026-05-09 05:53 Details Diff |
Merge branch 'sec-37016-csp-bypass' into release/2.28.2 | ||
| mod - file_download.php | Diff File | ||
|
master-2.28 71df1f67 2026-05-09 05:49 Committer: community Details Diff |
Fix bugnote revisions access check access_can_view_bugnote_revisions() now checks that the user can view the bugnote's parent issue. Fixes 0036978, GHSA-crmx-4p49-46m2 / CVE-2026-34970 |
Affected Issues 0036978 |
|
| mod - core/access_api.php | Diff File | ||
|
master-2.28 b1c3430b 2026-05-08 04:05 Details Diff |
Revert "Cannot grant an access level higher than one's own" This reverts commit 86accbca671a6a2bfe2204e58739b58d4f06b63d. The vulnerability, identified in Issue 0037002, had in fact already been reported (and fixed) in Issue 0036995, see commit 69e0180f180ed5acf48a8d281a73683a7bf32461. |
Affected Issues 0036995, 0037002 |
|
| mod - core/commands/ProjectUsersAddCommand.php | Diff File | ||
|
master-2.28 9e43cd80 2026-05-07 11:30 Details Diff |
Purge file_show_inline security token after use This ensures that the token cannot be reused after displaying the attachment inline. Issue 0037020 |
Affected Issues 0037020 |
|
| mod - file_download.php | Diff File | ||
|
master 3b45a8a2 2026-05-07 08:07 translatewiki.net Details Diff |
Localisation updates from https://translatewiki.net. [skip ci] | ||
| mod - lang/strings_belarusian_tarask.txt | Diff File | ||
| mod - plugins/MantisCoreFormatting/lang/strings_belarusian_tarask.txt | Diff File | ||
| mod - plugins/MantisGraph/lang/strings_belarusian_tarask.txt | Diff File | ||
|
master-2.28 6e58fae4 2026-05-06 19:33 Committer: community Details Diff |
Fix Bugnote udpate auth bypass via REST/SOAP API Add a note-level permission check in mc_issue_update() to ensure the user is authorized to update each bugnote individually. Fixes 0037089, GHSA-pq86-j2c2-47f6 / CVE-2026-42070 |
Affected Issues 0037089 |
|
| mod - api/soap/mc_issue_api.php | Diff File | ||
|
master-2.28 029d9d20 2026-05-06 19:32 Details Diff |
Merge branch 'sec-36985-private-attachment-leak' into release/2.28.2 | ||
| mod - api/soap/mc_file_api.php | Diff File | ||
| mod - core/file_api.php | Diff File | ||
| mod - file_download.php | Diff File | ||
|
master-2.28 9e8409cd 2026-05-06 19:27 Details Diff |
Merge branch 'sec-37011-xss_font_family' into release/2.28.2 | ||
| mod - account_prefs_update.php | Diff File | ||
| mod - core/helper_api.php | Diff File | ||
| mod - core/layout_api.php | Diff File | ||
| mod - core/print_api.php | Diff File | ||
| mod - login.php | Diff File | ||
| mod - login_page.php | Diff File | ||
| mod - login_password_page.php | Diff File | ||
|
master 5b9a0155 2026-05-05 11:46 Committer: community Details Diff |
Revise SECURITY.md for clarity and updates Updated security guidelines to clarify support status and reporting process. |
||
| mod - SECURITY.md | Diff File | ||
|
master 36044d26 2026-05-05 03:54 Committer: community Details Diff |
Add a cache for tokens retrieved from the database A cache of tokens retrieved from the database has been added as a new global variable, $g_cache_token. The chosen cache format simplifies the process of obtaining a token and storing it in the cache, but makes it more complicated to verify the token ID; however, in practice, this does not reduce the cache's efficiency due to the optimal order of function calls in MantisBT. In addition, the code explicitly casts token identifiers to integers throughout. Fixes 0037098, https://github.com/mantisbt/mantisbt/pull/2210 |
Affected Issues 0037098 |
|
| mod - core/tokens_api.php | Diff File | ||
| add - tests/Mantis/TokensApiTest.php | Diff File | ||
|
master 898d8680 2026-05-04 11:38 Committer: community Details Diff |
Fix debug log backtrace for Windows Absolute paths and problematic path separators have been removed, since function and file names are already sufficiently unique, and the location of MantisBT files can be changed via the configuration. The text has also been formatted consistently. Fixes 0037097, PR https://github.com/mantisbt/mantisbt/pull/2209 |
Affected Issues 0037097 |
|
| mod - core/logging_api.php | Diff File | ||
|
master f6265407 2026-05-04 08:05 translatewiki.net Details Diff |
Localisation updates from https://translatewiki.net. [skip ci] | ||
| mod - lang/strings_russian.txt | Diff File | ||
| mod - lang/strings_turkish.txt | Diff File | ||
|
master-2.28 26647b2e 2026-05-03 13:46 Details Diff |
Restrict MIME type for file downloads Until now, file_download.php was sending attachments content with a MIME type determined by PHP's Fileinfo [1]. This creates a risk of JavaScript execution bypassing the Content Security Policy. We now only set the Content-Type header for known safe types (e.g. PDF and images), all text types are forced to text/plain and the rest is sent as application/octet-stream. Includes corrections following review by vboctor. Fixes 0037016, GHSA-9c3j-xm6v-j7j3 / CVE-2026-40597 [1]: https://www.php.net/manual/en/book.fileinfo.php |
Affected Issues 0037016, 0037020 |
|
| mod - file_download.php | Diff File | ||
|
master-2.28 5cb4b469 2026-05-03 13:00 Details Diff |
Fix XSS on move_attachments_page.php Proper escaping of Project Name prevents HTML injection. Fixes 0037099, GHSA-7mqj-8gj2-cg59 |
Affected Issues 0037099 |
|
| mod - admin/move_attachments_page.php | Diff File | ||
|
master 107a02dd 2026-05-03 12:51 Details Diff |
Do not display projects without attachments Fixes 0037100 |
Affected Issues 0037100 |
|
| mod - admin/move_attachments_page.php | Diff File | ||
|
master a0d8d46a 2026-05-02 19:26 Details Diff |
Fix static analysis warnings | ||
| mod - bug_revision_view_page.php | Diff File | ||
| mod - core/access_api.php | Diff File | ||
|
master-2.28 955cb50f 2026-05-02 07:01 Details Diff |
Fix Private Bugnote Attachment Leak via SOAP API Incomplete access checks in mci_file_can_download_bug_attachments() resulted in unauthorized access to attachments. The function has been removed and replaced by calls to standard file API functions file_can_download_bug_attachments() and file_can_download_bugnote_attachments(). Fixes 0036985, GHSA-pw5x-2mf9-3xc8 / CVE-2026-42071 |
Affected Issues 0036985 |
|
| mod - api/soap/mc_file_api.php | Diff File | ||
|
master de8960cf 2026-05-02 06:53 Details Diff |
Fix PHPDoc and static analysis warnings | ||
| mod - api/soap/mc_file_api.php | Diff File | ||
| mod - api/soap/mc_issue_attachment_api.php | Diff File | ||
| mod - core/file_api.php | Diff File | ||
|
master-2.28 5b7f5bc9 2026-05-02 06:29 Details Diff |
Fix Private Bugnote Attachment Leak via REST API Add missing $p_bugnote_id argument to file_can_view_or_download() call in file_can_view_bugnote_attachments. This fixes the incorrect access check that was giving undue access to private attachments. Fixes 0036985, GHSA-pw5x-2mf9-3xc8 / CVE-2026-42071 |
Affected Issues 0036985 |
|
| mod - core/file_api.php | Diff File | ||
