Changesets: MantisBT
|
master dfe664a1 2014-11-29 05:50 Details Diff |
Improve comment for 'nosniff' header - Reworded the part about IE8 second-guessing content type - Added a note about Flash, as per Mathias Karlsson's recommendation in issue 0017874 |
Affected Issues 0017874 |
|
| mod - core/http_api.php | Diff File | ||
| mod - css/common_config.php | Diff File | ||
| mod - css/status_config.php | Diff File | ||
| mod - file_download.php | Diff File | ||
| mod - javascript_config.php | Diff File | ||
| mod - javascript_translations.php | Diff File | ||
|
master-1.2.x a552b37b 2014-11-29 05:50 Details Diff |
Improve comment for 'nosniff' header - Reworded the part about IE8 second-guessing content type - Added a note about Flash, as per Mathias Karlsson's recommendation in issue 0017874 |
Affected Issues 0017874 |
|
| mod - file_download.php | Diff File | ||
|
master 26f209a2 2014-11-28 14:51 Details Diff |
Fix 0017874: XSS in file uploads An attacker can upload a Flash file with an image extension. If such an attachment is displayed inline, it becomes a vector for XSS attacks. This issue was reported by Matthias Karlsson (http://mathiaskarlsson.me) as part of Offensive Security's bug bounty program [1]. Patch with contribution from Victor Boctor. |
Affected Issues 0017874 |
|
| mod - file_download.php | Diff File | ||
|
master-1.2.x 9fb8cf36 2014-11-28 14:51 Details Diff |
Fix 0017874: XSS in file uploads An attacker can upload a Flash file with an image extension. If such an attachment is displayed inline, it becomes a vector for XSS attacks. This issue was reported by Matthias Karlsson (http://mathiaskarlsson.me) as part of Offensive Security's bug bounty program [1]. Patch with contribution from Victor Boctor. |
Affected Issues 0017874 |
|
| mod - file_download.php | Diff File | ||
|
master-1.2.x 0826cef8 2014-11-28 06:50 Details Diff |
DB Credentials leak in upgrade_unattended.php Retrieve credentials from Mantis system configuration instead of accepting them from POST parameters. This issue was reported by Matthias Karlsson (http://mathiaskarlsson.me) as part of Offensive Security's bug bounty program [1]. Paul Richards' original patch was modified to align the code with master branch to (basically replacing DIRECTORY_SEPARATOR by '/') to facilitate porting. Fixes 0017877 [1] http://www.offensive-security.com/bug-bounty-program/ Signed-off-by: Damien Regad <dregad@mantisbt.org> |
Affected Issues 0017877 |
|
| mod - admin/upgrade_unattended.php | Diff File | ||
|
master 66c142dc 2014-11-27 14:15 Details Diff |
Fix 0017297: XSS in string_insert_hrefs The URL matching regex in the function did not validate the protocol, allowing an attacker to use 'javascript://' to execute arbitrary code. Issue was discovered by Mathias Karlsson (http://mathiaskarlsson.me) and reported by Offensive Security (http://www.offensive-security.com/). |
Affected Issues 0017297 |
|
| mod - core/string_api.php | Diff File | ||
|
master-1.2.x 05378e00 2014-11-27 14:15 Details Diff |
Fix 0017297: XSS in string_insert_hrefs The URL matching regex in the function did not validate the protocol, allowing an attacker to use 'javascript://' to execute arbitrary code. Issue was discovered by Mathias Karlsson (http://mathiaskarlsson.me) and reported by Offensive Security (http://www.offensive-security.com/). |
Affected Issues 0017297 |
|
| mod - core/string_api.php | Diff File | ||
|
master c590905a 2014-11-26 08:01 Details Diff |
HTML/CSS fixes in bug_revision_view_page.php | ||
| mod - bug_revision_view_page.php | Diff File | ||
|
master-1.2.x b1a6ee2c 2014-11-26 06:05 Details Diff |
Increase captcha public key max value The captcha's public key was generated as a random number between 0 and 99999. As per Alejo Popovici's recommendation in 0017811:0041918, this commit removes the limitation in mt_rand() call, so the generated key is now a number between 0 and mt_getrandmax() (2147483647 on my box). Issue 0017811 |
Affected Issues 0017811 |
|
| mod - signup_page.php | Diff File | ||
|
master a177faeb 2014-11-26 00:05 Bob Clough Committer: dregad Details Diff |
Allow setting 'announcement' flag when editing News News Edit was not working - boolean was being interpreted as a string Fixes 0017924 Signed-off-by: Damien Regad <dregad@mantisbt.org> |
Affected Issues 0017924 |
|
| mod - news_update.php | Diff File | ||
|
master-1.2.x 65c13ded 2014-11-26 00:05 Bob Clough Committer: dregad Details Diff |
Allow setting 'announcement' flag when editing News News Edit was not working - boolean was being interpreted as a string Fixes 0017924 Signed-off-by: Damien Regad <dregad@mantisbt.org> |
Affected Issues 0017924 |
|
| mod - news_update.php | Diff File | ||
|
master 1cff1479 2014-11-25 04:12 Details Diff |
Upgrade jQuery and jQuery UI to latest versions - jQuery from v1.9.1 to v1.11.1 - jQuery UI from v1.10.0 to v1.11.2 Fixes 0017932 |
Affected Issues 0017932 |
|
| mod - admin/install.php | Diff File | ||
| mod - core/html_api.php | Diff File | ||
| rm - css/jquery-ui-1.10.0.custom.min.css | Diff | ||
| add - css/jquery-ui-1.11.2.min.css | Diff File | ||
| add - javascript/jquery-1.11.1.min.js | Diff File | ||
| rm - javascript/jquery-1.9.1.min.js | Diff | ||
| rm - javascript/jquery-ui-1.10.0.custom.min.js | Diff | ||
| add - javascript/jquery-ui-1.11.2.min.js | Diff File | ||
|
master ac817e3f 2014-11-24 18:54 Committer: dregad Details Diff |
Improve validation for filter sort and direction Fixes 0017841 |
Affected Issues 0017841 |
|
| mod - core/filter_api.php | Diff File | ||
|
master-1.2.x b0021673 2014-11-24 18:54 Committer: dregad Details Diff |
Improve validation for filter sort and direction Fixes 0017841 |
Affected Issues 0017841 |
|
| mod - core/filter_api.php | Diff File | ||
|
master-1.2.x 7bb78e45 2014-11-24 18:28 Committer: dregad Details Diff |
Use session rather than form key for captcha Fixes 0017811 Signed-off-by: Damien Regad <dregad@mantisbt.org> |
Affected Issues 0017811, 0017993 |
|
| mod - core/constant_inc.php | Diff File | ||
| mod - make_captcha_img.php | Diff File | ||
| mod - signup.php | Diff File | ||
| mod - signup_page.php | Diff File | ||
|
master-1.2.x 32f3dd09 2014-11-23 13:58 Details Diff |
Update mailmap file | ||
| mod - .mailmap | Diff File | ||
|
master e704f569 2014-11-23 10:57 Committer: vboctor Details Diff |
Convert filter links into standard form buttons Fixes 0017834 |
Affected Issues 0017834 |
|
| mod - core/filter_api.php | Diff File | ||
| mod - css/default.css | Diff File | ||
|
master 2fa31b89 2014-11-22 23:59 Details Diff |
Fix 0017913: issue hyperlinks in timeline |
Affected Issues 0017913 |
|
| mod - css/default.css | Diff File | ||
|
master d5b3f7cd 2014-11-22 23:40 Details Diff |
Fix 0017912: display of "\n" in summary submenu Regression introduced by 0552366c6e2aff04efd4d3ada7c794b6300bb8f5. |
Affected Issues 0017912 |
|
| mod - core/html_api.php | Diff File | ||
|
master 52923d1c 2014-11-22 10:18 Committer: vboctor Details Diff |
Re-style search label in Manage User page Fixes 0017815 Signed-off-by: Victor Boctor <victor@mantishub.net> |
Affected Issues 0017815 |
|
| mod - css/default.css | Diff File | ||
| mod - manage_user_page.php | Diff File | ||
|
master 3ad885bf 2014-11-22 10:12 Committer: vboctor Details Diff |
Restyle the send reminder form Fixes 0017832 Signed-off-by: Victor Boctor <victor@mantishub.net> |
Affected Issues 0017832 |
|
| mod - bug_reminder_page.php | Diff File | ||
| mod - css/default.css | Diff File | ||
|
master 21538722 2014-11-15 11:54 Details Diff |
Improve timeline message when issue is unassigned Old Message: "user xyz assigned issue 123 to user0" New Message: "user xyz unassigned issue 123" |
||
| mod - core/classes/IssueAssignedTimelineEvent.class.php | Diff File | ||
| mod - lang/strings_english.txt | Diff File | ||
|
master-1.2.x 5d1a57f8 2014-11-15 11:38 Details Diff |
Fix bug doesn't exist error in timeline feature The error was caused by 0f030fd725b8139aa39e47365fe3433a2f12dda8 which checks that the user has access to issues referenced in issue history. Issue 0009885 Conflicts: core/history_api.php |
Affected Issues 0009885 |
|
| mod - core/history_api.php | Diff File | ||
|
master 3012159c 2014-11-15 11:38 Details Diff |
Fix bug doesn't exist error in timeline feature The error was caused by 0f030fd725b8139aa39e47365fe3433a2f12dda8 which checks that the user has access to issues referenced in issue history. Issue 0009885 |
Affected Issues 0009885 |
|
| mod - core/history_api.php | Diff File | ||
|
master b02557d8 2014-11-15 05:43 Details Diff |
Revert "Fix 0017870: XSS in adm_config_report.php" This reverts commit b509ab380f91e84d9683dbfdb02206b88a9b86fb. The wrong string API call was used, it should have been string_attribute() and not string_display_line(). Thanks to Paul Richards for pointing this out. |
Affected Issues 0017870 |
|
| mod - adm_config_report.php | Diff File | ||
