Changesets: MantisBT
|
master 33562d44 2026-04-08 18:25 Details Diff |
Composer update - Removing sebastian/resource-operations (3.0.4) - Removing doctrine/instantiator (1.5.0) - Upgrading symfony/deprecation-contracts (v2.5.4 => v3.6.0): Extracting archive - Upgrading guzzlehttp/psr7 (2.8.0 => 2.9.0): Extracting archive - Upgrading sebastian/version (3.0.2 => 4.0.1): Extracting archive - Upgrading sebastian/type (3.2.1 => 4.0.0): Extracting archive - Upgrading sebastian/recursion-context (4.0.6 => 5.0.1): Extracting archive - Upgrading sebastian/object-reflector (2.0.4 => 3.0.0): Extracting archive - Upgrading sebastian/object-enumerator (4.0.4 => 5.0.0): Extracting archive - Upgrading sebastian/global-state (5.0.8 => 6.0.2): Extracting archive - Upgrading sebastian/exporter (4.0.8 => 5.1.4): Extracting archive - Upgrading sebastian/environment (5.1.5 => 6.1.0): Extracting archive - Upgrading sebastian/diff (4.0.6 => 5.1.1): Extracting archive - Upgrading sebastian/comparator (4.0.10 => 5.0.5): Extracting archive - Upgrading sebastian/code-unit (1.0.8 => 2.0.0): Extracting archive - Upgrading sebastian/cli-parser (1.0.2 => 2.0.1): Extracting archive - Upgrading phpunit/php-timer (5.0.3 => 6.0.0): Extracting archive - Upgrading phpunit/php-text-template (2.0.4 => 3.0.1): Extracting archive - Upgrading phpunit/php-invoker (3.1.1 => 4.0.0): Extracting archive - Upgrading phpunit/php-file-iterator (3.0.6 => 4.1.0): Extracting archive - Upgrading sebastian/lines-of-code (1.0.4 => 2.0.2): Extracting archive - Upgrading sebastian/complexity (2.0.3 => 3.2.0): Extracting archive - Upgrading sebastian/code-unit-reverse-lookup (2.0.3 => 3.0.0): Extracting archive - Upgrading phpunit/php-code-coverage (9.2.32 => 10.1.16): Extracting archive - Upgrading phpunit/phpunit (9.6.34 => 10.5.63): Extracting archive - Upgrading pimple/pimple (v3.6.0 => v3.6.2): Extracting archive Issue 0036914 |
Affected Issues 0036914 |
|
| mod - composer.lock | Diff File | ||
|
master 6b49c1e3 2026-04-08 18:22 Details Diff |
Composer: remove PHPUnit 9.x Fixes 0036914 |
Affected Issues 0036914 |
|
| mod - composer.json | Diff File | ||
|
master-2.28 2ec1b106 2026-04-07 12:02 Details Diff |
Revert use of string_url() in http_api.php Requiring string_api.php was causing a circular inclusion pattern of the core APIs, resulting in rejection of Secure Cookies by the browser. Partial revert of commit 5393a5663d33a0060d13ee0d4517bb701ddac40d. Fixes 0036819 |
Affected Issues 0036819 |
|
| mod - core/http_api.php | Diff File | ||
|
master-2.28 e6be7c24 2026-04-06 08:26 Details Diff |
Check user id validity early in verify.php It makes no sense to attempt login if the user does not exist. Minor optimization: make use of extracted $u_username variable instead of calling user_get_username(). Fixes 0037006 |
Affected Issues 0037006 |
|
| mod - verify.php | Diff File | ||
|
master-2.28 e2d7dcda 2026-04-06 08:19 Details Diff |
Fix record not found check in user_cache_row() Using empty() instead of !isset(), so both false and null trigger the exception. Regression from 2cee661cbdf9bf607a75586b8376f74675c924af. Fixes 0037005 |
Affected Issues 0037005 |
|
| mod - core/user_api.php | Diff File | ||
|
master f4795e18 2026-04-06 08:08 translatewiki.net Details Diff |
Localisation updates from https://translatewiki.net. [skip ci] | ||
| mod - lang/strings_ukrainian.txt | Diff File | ||
| mod - plugins/MantisCoreFormatting/lang/strings_ukrainian.txt | Diff File | ||
|
master bf3b3641 2026-04-04 06:02 Committer: dregad Details Diff |
Deleting a user now deletes its filters Fixes 0037004 |
Affected Issues 0037004 |
|
| mod - core/filter_api.php | Diff File | ||
| mod - core/user_api.php | Diff File | ||
|
master-2.28 b8d84f3c 2026-04-04 05:40 Committer: dregad Details Diff |
Fix intermittent error when deleting user from project Fixes 0032998, PR https://github.com/mantisbt/mantisbt/pull/2199 |
Affected Issues 0032998 |
|
| mod - core/commands/ProjectUsersDeleteCommand.php | Diff File | ||
|
master 12a20c13 2026-03-30 08:10 translatewiki.net Details Diff |
Localisation updates from https://translatewiki.net. [skip ci] | ||
| mod - lang/strings_ukrainian.txt | Diff File | ||
|
master 6468c95d 2026-03-27 13:49 Details Diff |
Fix spelling [skip ci] | ||
| mod - manage_proj_user_update.php | Diff File | ||
|
master 1b1a3133 2026-03-23 08:47 Details Diff |
Merge branch 'master-2.28' | ||
| mod - core/csv_api.php | Diff File | ||
|
master 95855d53 2026-03-23 08:31 Details Diff |
Merge branch 'master-2.28' # Conflicts: # api/rest/mantisbt_openapi.yaml # core/constant_inc.php |
||
| mod - view_filters_page.php | Diff File | ||
|
master-2.28 996e4697 2026-03-23 08:26 Details Diff |
Fix duplicated page layout in view_filters_page.php Issuing page layout too early causes header and sidebar duplication when calling access_denied(), if the filter does not exist or is not accessible. Fixes 0036990 |
Affected Issues 0036990 |
|
| mod - view_filters_page.php | Diff File | ||
|
master 2674500b 2026-03-23 08:08 translatewiki.net Details Diff |
Localisation updates from https://translatewiki.net. [skip ci] | ||
| mod - lang/strings_belarusian_tarask.txt | Diff File | ||
| mod - plugins/MantisCoreFormatting/lang/strings_belarusian_tarask.txt | Diff File | ||
|
master-2.28 65c2dd3e 2026-03-19 14:29 Details Diff |
Always quote tab-prefixed CSV string when escaping According to OWASP [1], when prefixing a string with tab to avoid CSV injection, the string should always be quoted. Improves fix for Issue 0029130. Fixes 0036991 [1]: https://owasp.org/www-community/attacks/CSV_Injection#excel-resistant-mitigation |
Affected Issues 0029130, 0036991 |
|
| mod - core/csv_api.php | Diff File | ||
|
master-2.28 b80bd8bd 2026-03-19 14:21 Details Diff |
Ensure csv_escape_string() deals with a string This prevents a PHP warning when using array dereferencing form to get $p_string's first character. When this happened, the strpos() call would return 0, leading to always (and sometimes incorrectly) qualifying the string as risky, resulting in a tab character to be prepended. Note: using a type cast instead of string TypeDef in function signature to avoid regression issues in case some callers pass NULL. Fixes 0036987 |
Affected Issues 0036987 |
|
| mod - core/csv_api.php | Diff File | ||
|
master-2.28 fb70536b 2026-03-16 12:27 Details Diff |
Set version to 2.28.2-dev | ||
| mod - api/rest/mantisbt_openapi.yaml | Diff File | ||
| mod - core/constant_inc.php | Diff File | ||
|
master cb1a1811 2026-03-16 08:17 Details Diff |
Merge tag 'release-2.28.1' Manually excluded Version bump (61082fb5bc65fbc35973a4b08d63d7e9db1e3f97). |
||
| mod - api/soap/mc_api.php | Diff File | ||
| mod - core/classes/IssueTagTimelineEvent.class.php | Diff File | ||
| mod - lang/strings_french.txt | Diff File | ||
| mod - tag_delete.php | Diff File | ||
|
master 51b5d884 2026-03-16 08:08 translatewiki.net Details Diff |
Localisation updates from https://translatewiki.net. [skip ci] | ||
| mod - lang/strings_belarusian_tarask.txt | Diff File | ||
|
master-2.28 61082fb5 2026-03-16 08:04 Details Diff |
Bump version to 2.28.1 | ||
| mod - api/rest/mantisbt_openapi.yaml | Diff File | ||
| mod - core/constant_inc.php | Diff File | ||
|
master-2.28 af7ede1f 2026-03-16 07:58 Details Diff |
Merge security fixes for GHSA-fh48-f69w-7vmp https://github.com/mantisbt/mantisbt/security/advisories/GHSA-fh48-f69w-7vmp |
||
| mod - core/classes/IssueTagTimelineEvent.class.php | Diff File | ||
| mod - tag_delete.php | Diff File | ||
|
master-2.28 f32787c1 2026-03-16 07:39 Details Diff |
Escape unknown tag name in Timeline Timeline API retrieves data from the bug_history table. It can happen that the tag name stored there no longer exists (e.g. if it has been renamed or deleted). In this case, tag_get_by_name() returns false (obviously), causing IssueTagTimelineEvent::html() to fall back to displaying the name stored in the Timeline event as-is, but lack of proper escapeing was allowed XSS / HTML injection. Fixes 0036973 |
Affected Issues 0036973 |
|
| mod - core/classes/IssueTagTimelineEvent.class.php | Diff File | ||
|
master-2.28 80990f43 2026-03-15 20:23 Details Diff |
Properly escape tag name prior to display Prevents XSS when displaying the confirmation message prior to deleting a tag. Fixes 0036971 |
Affected Issues 0036971 |
|
| mod - tag_delete.php | Diff File | ||
|
master-2.28 5e6e52d9 2026-03-15 19:25 Details Diff |
translatewiki.net {{GENDER:*}} tag is unsupported Replace by gender-neutral translation. Fixes 0036972 |
Affected Issues 0036972 |
|
| mod - lang/strings_french.txt | Diff File | ||
|
master-2.28 ba5c862f 2026-03-13 11:04 Committer: dregad Details Diff |
Fix unknown category error in MantisGraph A simple check using category_exists() has been added before calling the problematic function. Fixes 0036969, PR https://github.com/mantisbt/mantisbt/pull/2196 |
Affected Issues 0036969 |
|
| mod - plugins/MantisGraph/pages/issues_trend_bycategory_table.php | Diff File | ||
