Changesets: MantisBT
|
master 75568c53 2012-06-03 00:53 Details Diff |
Additional patch to fix 0014016 First patch to fix the issue introduced access to undefined variable. |
Affected Issues 0014016 |
|
| mod - api/soap/mc_issue_attachment_api.php | Diff File | ||
|
master-1.2.x c9314184 2012-06-03 00:51 Details Diff |
Additional patch to fix 0014016 First patch to fix the issue introduced access to undefined variable. |
Affected Issues 0014016 |
|
| mod - api/soap/mc_issue_attachment_api.php | Diff File | ||
|
master 31d11568 2012-06-02 00:35 Details Diff |
Fix 0014015: attachment deletion: remove update_bug_threshold check As reported by Roland Becker (MantisBT developer): Although configuration option allow_delete_own_attachments is set to ON reporters cannot delete their own attachments. After pushing the delete button you get "Access Denied" Issue 0014016 implemented correct attachment deletion access control checks against delete_attachments_threshold. We should be using this threshold instead of update_bug_threshold because attachments aren't linked to the core fields of an issue -- they are frequently related to comments (bugnotes) provided by less privileged users. $g_allow_delete_own_attachments should now work again... safely. |
Affected Issues 0014015, 0014016 |
|
| mod - api/soap/mc_issue_attachment_api.php | Diff File | ||
| mod - bug_file_delete.php | Diff File | ||
|
master-1.2.x 628e9370 2012-06-02 00:35 Details Diff |
Fix 0014015: attachment deletion: remove update_bug_threshold check As reported by Roland Becker (MantisBT developer): Although configuration option allow_delete_own_attachments is set to ON reporters cannot delete their own attachments. After pushing the delete button you get "Access Denied" Issue 0014016 implemented correct attachment deletion access control checks against delete_attachments_threshold. We should be using this threshold instead of update_bug_threshold because attachments aren't linked to the core fields of an issue -- they are frequently related to comments (bugnotes) provided by less privileged users. $g_allow_delete_own_attachments should now work again... safely. Conflicts: bug_file_delete.php |
Affected Issues 0014015, 0014016 |
|
| mod - api/soap/mc_issue_attachment_api.php | Diff File | ||
| mod - bug_file_delete.php | Diff File | ||
|
master f82f98cc 2012-06-02 00:10 Details Diff |
Fix 0014016: delete_attachments_threshold is not checked Roland Becker (MantisBT developer) reported the following security/access control bug: In a default installation delete_attachments_threshold is set to DEVELOPER but having access level >= update_bug_threshold is enough to delete attachments if form_security_validation is set to OFF. MantisBT was not checking the access level of the user requesting deletion of an attachment to an issue against $g_delete_attachments_threshold. The new access control logic for deleting an issue attachment is now: 1. Does the user have an access level of at least update_bug_threshold? 2. If the user is the owner of the file and $g_allow_delete_own_attachments=OFF, does this user have an access level of at least delete_attachments_threshold? 3. If the user is not the owner of the file, do they have an access level of at least delete_attachments_threshold? Also refer to issue 0014015 for discussion on whether update_bug_threshold should be part of the access control logic. The relevant SOAP API call has also been updated. Conflicts: bug_file_delete.php |
Affected Issues 0014015, 0014016 |
|
| mod - api/soap/mc_issue_attachment_api.php | Diff File | ||
| mod - bug_file_delete.php | Diff File | ||
|
master-1.2.x ceafe6f0 2012-06-02 00:10 Details Diff |
Fix 0014016: delete_attachments_threshold is not checked Roland Becker (MantisBT developer) reported the following security/access control bug: In a default installation delete_attachments_threshold is set to DEVELOPER but having access level >= update_bug_threshold is enough to delete attachments if form_security_validation is set to OFF. MantisBT was not checking the access level of the user requesting deletion of an attachment to an issue against $g_delete_attachments_threshold. The new access control logic for deleting an issue attachment is now: 1. Does the user have an access level of at least update_bug_threshold? 2. If the user is the owner of the file and $g_allow_delete_own_attachments=OFF, does this user have an access level of at least delete_attachments_threshold? 3. If the user is not the owner of the file, do they have an access level of at least delete_attachments_threshold? Also refer to issue 0014015 for discussion on whether update_bug_threshold should be part of the access control logic. The relevant SOAP API call has also been updated. |
Affected Issues 0014015, 0014016 |
|
| mod - api/soap/mc_issue_attachment_api.php | Diff File | ||
| mod - bug_file_delete.php | Diff File | ||
|
master 8208170b 2012-06-01 22:46 Details Diff |
Fix 0014342: mc_issue_api functions do not perform read only checks Various SOAP functions in mc_issue_api.php did not perform checks to ensure that read only issues are unmodifiable. |
Affected Issues 0014342 |
|
| mod - api/soap/mc_issue_api.php | Diff File | ||
|
master-1.2.x 804f6ed6 2012-06-01 22:46 Details Diff |
Fix 0014342: mc_issue_api functions do not perform read only checks Various SOAP functions in mc_issue_api.php did not perform checks to ensure that read only issues are unmodifiable. |
Affected Issues 0014342 |
|
| mod - api/soap/mc_issue_api.php | Diff File | ||
|
master 508cab00 2012-06-01 20:40 Details Diff |
Fix 0014340: Reporters can use SOAP to update bugnotes without permission The access checks inside bugnote_update.php and api/soap/mc_issue_api.php differed. Users were incorrectly allowed via the SOAP interface to update the bugnotes of other users. Instead of comparing the SOAP user's access level to $g_update_bugnote_threshold, $g_add_bugnote_threshold was used instead. This posed a problem because the default installed state of MantisBT is to allow the REPORTER access level to submit bugs via the SOAP API. Thus in the default installed state, any user who could submit a bug could also update/modify the bugnotes of any other user. Access checks within bugnote_update.php and api/soap/mc_issue_api.php should now be equivalent. Thanks to Roland Becker and Damien Regard (both MantisBT developers) for finding and reporting this problem. |
Affected Issues 0014340 |
|
| mod - api/soap/mc_issue_api.php | Diff File | ||
|
master-1.2.x edc8142b 2012-06-01 20:40 Details Diff |
Fix 0014340: Reporters can use SOAP to update bugnotes without permission The access checks inside bugnote_update.php and api/soap/mc_issue_api.php differed. Users were incorrectly allowed via the SOAP interface to update the bugnotes of other users. Instead of comparing the SOAP user's access level to $g_update_bugnote_threshold, $g_add_bugnote_threshold was used instead. This posed a problem because the default installed state of MantisBT is to allow the REPORTER access level to submit bugs via the SOAP API. Thus in the default installed state, any user who could submit a bug could also update/modify the bugnotes of any other user. Access checks within bugnote_update.php and api/soap/mc_issue_api.php should now be equivalent. Thanks to Roland Becker and Damien Regard (both MantisBT developers) for finding and reporting this problem. |
Affected Issues 0014340 |
|
| mod - api/soap/mc_issue_api.php | Diff File | ||
|
master bbc8e9be 2012-06-01 19:34 Details Diff |
Bug and bugnote access level checks should use project settings Calls to config_get to retrieve configuration values should include the relevant project ID to ensure that project-specific bugnote/bug thresholds are taken into consideration over global settings. An erronous use of the REPORTER constant has also been replaced. This allows for valid/correct use of custom access levels in relation to the $g_limit_reporters=ON functionality. |
||
| mod - core/access_api.php | Diff File | ||
|
master-1.2.x 8e5faf8c 2012-06-01 19:34 Details Diff |
Bug and bugnote access level checks should use project settings Calls to config_get to retrieve configuration values should include the relevant project ID to ensure that project-specific bugnote/bug thresholds are taken into consideration over global settings. An erronous use of the REPORTER constant has also been replaced. This allows for valid/correct use of custom access levels in relation to the $g_limit_reporters=ON functionality. |
||
| mod - core/access_api.php | Diff File | ||
|
master-1.2.x 4c125ed8 2012-06-01 18:58 Details Diff |
Cleanup SOAP error handler which contained dead code. | ||
| mod - api/soap/mc_api.php | Diff File | ||
|
master ce7ec532 2012-06-01 18:58 Details Diff |
Cleanup SOAP error handler which contained dead code. | ||
| mod - api/soap/mc_api.php | Diff File | ||
|
master-1.2.x 01b4a042 2012-06-01 18:51 Details Diff |
Fixes 0014341: SOAP API is failing due to PHP errors that are ignored by the web app. |
Affected Issues 0014341 |
|
| mod - api/soap/mc_api.php | Diff File | ||
|
master c2f15790 2012-06-01 18:51 Details Diff |
Fixes 0014341: SOAP API is failing due to PHP errors that are ignored by the web app. |
Affected Issues 0014341 |
|
| mod - api/soap/mc_api.php | Diff File | ||
|
master-1.2.x 0faacc35 2012-06-01 18:44 Details Diff |
Fixes 0014094: mc_issue_add project['name'] is not used Thanks to Tino Böhme (tino) for contributing a patch. |
Affected Issues 0014094 |
|
| mod - api/soap/mc_api.php | Diff File | ||
|
master c978645c 2012-06-01 18:44 Details Diff |
Fixes 0014094: mc_issue_add project['name'] is not used Thanks to Tino Böhme (tino) for contributing a patch. |
Affected Issues 0014094 |
|
| mod - api/soap/mc_api.php | Diff File | ||
|
master-1.2.x ae8dbcb6 2012-06-01 09:47 Details Diff |
Rename admin guide folder to fix docbook builds for release/nightlies | ||
| add - docbook/administration_guide/en/Makefile | Diff File | ||
| add - docbook/administration_guide/en/about.sgml | Diff File | ||
| add - docbook/administration_guide/en/administration_guide.sgml | Diff File | ||
| add - docbook/administration_guide/en/authentication.sgml | Diff File | ||
| add - docbook/administration_guide/en/configuration.sgml | Diff File | ||
| add - docbook/administration_guide/en/contributing.sgml | Diff File | ||
| add - docbook/administration_guide/en/customizing_mantis.sgml | Diff File | ||
| add - docbook/administration_guide/en/file-entities.ent | Diff File | ||
| add - docbook/administration_guide/en/installation.sgml | Diff File | ||
| add - docbook/administration_guide/en/page_descriptions.sgml | Diff File | ||
| add - docbook/administration_guide/en/project_management.sgml | Diff File | ||
| add - docbook/administration_guide/en/troubleshooting.sgml | Diff File | ||
| add - docbook/administration_guide/en/user_management.sgml | Diff File | ||
| add - docbook/administration_guide/en/workflow.sgml | Diff File | ||
| rm - docbook/adminguide/en/Makefile | Diff | ||
| rm - docbook/adminguide/en/about.sgml | Diff | ||
| rm - docbook/adminguide/en/administration_guide.sgml | Diff | ||
| rm - docbook/adminguide/en/authentication.sgml | Diff | ||
| rm - docbook/adminguide/en/configuration.sgml | Diff | ||
| rm - docbook/adminguide/en/contributing.sgml | Diff | ||
| rm - docbook/adminguide/en/customizing_mantis.sgml | Diff | ||
| rm - docbook/adminguide/en/file-entities.ent | Diff | ||
| rm - docbook/adminguide/en/installation.sgml | Diff | ||
| rm - docbook/adminguide/en/page_descriptions.sgml | Diff | ||
| rm - docbook/adminguide/en/project_management.sgml | Diff | ||
| rm - docbook/adminguide/en/troubleshooting.sgml | Diff | ||
| rm - docbook/adminguide/en/user_management.sgml | Diff | ||
| rm - docbook/adminguide/en/workflow.sgml | Diff | ||
|
master-2.0.x 3527cd65 2012-05-31 10:07 Paul Richards Details Diff |
Fix 0014333 | ||
| mod - config_defaults_inc.php | Diff File | ||
| mod - core/gpc_api.php | Diff File | ||
| mod - core/http_api.php | Diff File | ||
| mod - core/user_api.php | Diff File | ||
|
master f39ad8c9 2012-05-30 22:53 Details Diff |
Make test for HTTPS protocol compliant with PHP documentation Prior to this, the protocol was considered to be HTTPS when isset($_SERVER['HTTPS']) is true, while PHP doc[1] states that HTTPS is "Set to a non-empty value if the script was queried through the HTTPS protocol" so the test should be !empty($_SERVER['HTTPS']) instead. This was causing issues with nginx 1.x with php5fastcgi as $_SERVER['HTTPS'] is set but empty, thus MantisBT redirects all http requests to https. The protocol check has been moved to a new function in http_api.php which is then called wherever it is needed. Note that there are several occurences of isset($_SERVER['HTTPS']) in the nusoap library; these have not been modified. Fixes 0014333 [1] http://php.net/manual/en/reserved.variables.server.php |
Affected Issues 0014333 |
|
| mod - config_defaults_inc.php | Diff File | ||
| mod - core/gpc_api.php | Diff File | ||
| mod - core/http_api.php | Diff File | ||
| mod - core/user_api.php | Diff File | ||
| mod - file_download.php | Diff File | ||
|
master-1.2.x 0af2d629 2012-05-30 22:53 Details Diff |
Make test for HTTPS protocol compliant with PHP documentation Prior to this, the protocol was considered to be HTTPS when isset($_SERVER['HTTPS']) is true, while PHP doc[1] states that HTTPS is "Set to a non-empty value if the script was queried through the HTTPS protocol" so the test should be !empty($_SERVER['HTTPS']) instead. This was causing issues with nginx 1.x with php5fastcgi as $_SERVER['HTTPS'] is set but empty, thus MantisBT redirects all http requests to https. The protocol check has been moved to a new function in http_api.php which is then called wherever it is needed. Note that there are several occurences of isset($_SERVER['HTTPS']) in the nusoap library; these have not been modified. Fixes 0014333 [1] http://php.net/manual/en/reserved.variables.server.php |
Affected Issues 0014333 |
|
| mod - config_defaults_inc.php | Diff File | ||
| mod - core/gpc_api.php | Diff File | ||
| mod - core/http_api.php | Diff File | ||
| mod - core/user_api.php | Diff File | ||
| mod - file_download.php | Diff File | ||
|
master-2.0.x 94e36202 2012-05-30 12:06 Paul Richards Details Diff |
optimise filter api | ||
| mod - core/filter_api.php | Diff File | ||
|
master-2.0.x cfca3294 2012-05-30 12:04 Paul Richards Details Diff |
optimise config_can_delete | ||
| mod - core/config_api.php | Diff File | ||
|
master-2.0.x 94f42ec9 2012-05-30 12:04 Paul Richards Details Diff |
Optimise file_path_combine | ||
| mod - core/file_api.php | Diff File | ||
