Changesets: MantisBT
|
next f2ab9212 2011-08-19 19:09 Details Diff |
Implement AttachmentDuplicate exception | ||
| add - application/MantisBT/Exception/Attachment/AttachmentDuplicate.php | Diff File | ||
| mod - application/core/file_api.php | Diff File | ||
|
next 519c6d52 2011-08-19 19:09 Details Diff |
Implement AttachmentDuplicate exception | ||
| add - application/MantisBT/Exception/Attachment/AttachmentDuplicate.php | Diff File | ||
| mod - application/core/file_api.php | Diff File | ||
|
next 0812ebc1 2011-08-19 19:09 Details Diff |
Implement AttachmentDuplicate exception | ||
| add - application/MantisBT/Exception/Attachment/AttachmentDuplicate.php | Diff File | ||
| mod - application/core/file_api.php | Diff File | ||
|
next 02ba6079 2011-08-19 19:09 Details Diff |
Implement AttachmentDuplicate exception | ||
| add - application/MantisBT/Exception/Attachment/AttachmentDuplicate.php | Diff File | ||
| mod - application/core/file_api.php | Diff File | ||
|
next 371e4d33 2011-08-19 18:58 Details Diff |
Implement AttachmentFileTypeDisallowed exception | ||
| add - application/MantisBT/Exception/Attachment/AttachmentFileTypeDisallowed.php | Diff File | ||
| mod - application/core/file_api.php | Diff File | ||
|
next cba8bc55 2011-08-19 18:58 Details Diff |
Implement AttachmentFileTypeDisallowed exception | ||
| add - application/MantisBT/Exception/Attachment/AttachmentFileTypeDisallowed.php | Diff File | ||
| mod - application/core/file_api.php | Diff File | ||
|
next 877b9563 2011-08-19 18:58 Details Diff |
Implement AttachmentFileTypeDisallowed exception | ||
| add - application/MantisBT/Exception/Attachment/AttachmentFileTypeDisallowed.php | Diff File | ||
| mod - application/core/file_api.php | Diff File | ||
|
next 4ff59539 2011-08-19 18:58 Details Diff |
Implement AttachmentFileTypeDisallowed exception | ||
| add - application/MantisBT/Exception/Attachment/AttachmentFileTypeDisallowed.php | Diff File | ||
| mod - application/core/file_api.php | Diff File | ||
|
next 62ae42c3 2011-08-19 18:52 Details Diff |
Implement AttachmentOversized exception | ||
| add - application/MantisBT/Exception/Attachment/AttachmentOversized.php | Diff File | ||
| mod - application/core/file_api.php | Diff File | ||
|
next 6316f773 2011-08-19 18:52 Details Diff |
Implement AttachmentOversized exception | ||
| add - application/MantisBT/Exception/Attachment/AttachmentOversized.php | Diff File | ||
| mod - application/core/file_api.php | Diff File | ||
|
next aeda773c 2011-08-19 18:52 Details Diff |
Implement AttachmentOversized exception | ||
| add - application/MantisBT/Exception/Attachment/AttachmentOversized.php | Diff File | ||
| mod - application/core/file_api.php | Diff File | ||
|
next 8bbb8091 2011-08-19 18:52 Details Diff |
Implement AttachmentOversized exception | ||
| add - application/MantisBT/Exception/Attachment/AttachmentOversized.php | Diff File | ||
| mod - application/core/file_api.php | Diff File | ||
|
next 82e2496a 2011-08-19 18:45 Details Diff |
Remove accidental commit of config_inc.php The file "12x" was accidentally committed by Damien in commit bcfdfff86b4d4e6ffae5a2d02dca7d71a35949f6. Deleted. |
||
| rm - 12x | Diff | ||
|
master 224b0f8b 2011-08-19 18:45 Details Diff |
Remove accidental commit of config_inc.php The file "12x" was accidentally committed by Damien in commit bcfdfff86b4d4e6ffae5a2d02dca7d71a35949f6. Deleted. |
||
| rm - 12x | Diff | ||
|
master-1.2.x ff786006 2011-08-18 21:52 Details Diff |
Fix typo in 1.2.7 release notes Thanks to Roland (atrol) for noticing. |
||
| mod - doc/RELEASE | Diff File | ||
|
master-1.2.x c046dc69 2011-08-18 04:17 Details Diff |
Bump version to 1.2.7 and update release notes | ||
| mod - core/constant_inc.php | Diff File | ||
| mod - doc/RELEASE | Diff File | ||
|
master 7c8a564c 2011-08-18 03:43 Details Diff |
Fix 0013245: XSS issues with search.php parameters Net.Edit0r (Net.Edit0r@Att.net) from BlACK Hat Group [http://black-hg.org] posted a vulnerability report for an XSS issue in search.php for MantisBT 1.2.6. The full report is available at http://packetstormsecurity.org/files/104149 filter_api.php is the culprit for this vulnerability as it passes user supplied search parameters back into output without first escaping the values. It should be noted that numerous other XSS vulnerabilities (all related) have been fixed with this patch. In other words, it is not just the project_id parameter to search.php that was affected - it was numerous other parameters/fields as well. The second SQL injection vulnerability identified by Net.Edit0r is invalid because the only time we ever make reference to "mbadmin" in the source code is: core.php: if ( file_exists( 'mantis_offline.php' ) && !isset( $_GET['mbadmin'] ) ) This usage is safe because nothing is ever done with $_GET['mbadmin']. It may be the case that the user's customised version of mantis_offline.php was incorrectly dumping the value of $_GET['mbadmin'] to the screen. The default/sample mantis_offline.php has been checked and does not print any dynamically created strings/user supplied values. Conflicts: core/filter_api.php |
Affected Issues 0013245 |
|
| mod - core/filter_api.php | Diff File | ||
|
master-1.2.x 317f3db3 2011-08-18 03:43 Details Diff |
Fix 0013245: XSS issues with search.php parameters Net.Edit0r (Net.Edit0r@Att.net) from BlACK Hat Group [http://black-hg.org] posted a vulnerability report for an XSS issue in search.php for MantisBT 1.2.6. The full report is available at http://packetstormsecurity.org/files/104149 filter_api.php is the culprit for this vulnerability as it passes user supplied search parameters back into output without first escaping the values. It should be noted that numerous other XSS vulnerabilities (all related) have been fixed with this patch. In other words, it is not just the project_id parameter to search.php that was affected - it was numerous other parameters/fields as well. The second SQL injection vulnerability identified by Net.Edit0r is invalid because the only time we ever make reference to "mbadmin" in the source code is: core.php: if ( file_exists( 'mantis_offline.php' ) && !isset( $_GET['mbadmin'] ) ) This usage is safe because nothing is ever done with $_GET['mbadmin']. It may be the case that the user's customised version of mantis_offline.php was incorrectly dumping the value of $_GET['mbadmin'] to the screen. The default/sample mantis_offline.php has been checked and does not print any dynamically created strings/user supplied values. |
Affected Issues 0013245 |
|
| mod - core/filter_api.php | Diff File | ||
|
master b531419a 2011-08-16 06:17 Committer: dregad Details Diff |
Fixed datetime literal format and bug with removing 'AS' from string literals Tests passed with MySQL and Oracle. Oracle installation reqires only changing: 1. $g_db_table_suffix: Just as planned, to reduce object name length 2. $g_db_type: because of config_get_global( 'db_type' ) returns 'mysql' on installation stage |
||
| mod - admin/schema.php | Diff File | ||
| mod - core/database_api.php | Diff File | ||
|
master fe9da540 2011-08-15 22:53 Details Diff |
Merge pull request #10 from MarcinKleczek/master Replace require_once call with require_api in bug_actiongroup.php |
Affected Issues 0013237 |
|
| mod - bug_actiongroup.php | Diff File | ||
|
master adb0b818 2011-08-15 07:33 Marcin KÅeczek Details Diff |
Changed require_once to required_api for bug_api.php |
Affected Issues 0013237 |
|
| mod - bug_actiongroup.php | Diff File | ||
|
master-1.2.x 9869270e 2011-08-15 00:37 Details Diff |
Localisation updates from http://translatewiki.net. | ||
| mod - lang/strings_belarusian_tarask.txt | Diff File | ||
| mod - lang/strings_breton.txt | Diff File | ||
| mod - lang/strings_chinese_traditional.txt | Diff File | ||
| mod - lang/strings_dutch.txt | Diff File | ||
| mod - lang/strings_french.txt | Diff File | ||
| mod - lang/strings_galician.txt | Diff File | ||
| mod - lang/strings_german.txt | Diff File | ||
| mod - lang/strings_hebrew.txt | Diff File | ||
| mod - lang/strings_interlingua.txt | Diff File | ||
| mod - lang/strings_macedonian.txt | Diff File | ||
| mod - lang/strings_norwegian_bokmal.txt | Diff File | ||
| mod - lang/strings_polish.txt | Diff File | ||
| mod - lang/strings_portuguese_brazil.txt | Diff File | ||
| mod - lang/strings_russian.txt | Diff File | ||
| mod - lang/strings_slovene.txt | Diff File | ||
| mod - lang/strings_spanish.txt | Diff File | ||
| mod - plugins/MantisGraph/lang/strings_chinese_traditional.txt | Diff File | ||
|
master 321e0356 2011-08-11 09:05 Details Diff |
Align with coding standards Renamed the new oracle-specific functions introduced to fix 0013227; implement various minor changes to comply with coding standards (spaces/tabs, braces, variable names...) |
Affected Issues 0013227 |
|
| mod - core/database_api.php | Diff File | ||
|
master 6efe0721 2011-08-11 07:59 Details Diff |
Add new database function db_is_oracle() Follows the same logic as for other RDBMS. The new function is used instead of hardcoded tests like $GLOBALS['g_db_type'] == 'oci8' Affects 0013227 Porting to 1.3 - Conflicts: core/database_api.php |
||
| mod - core/database_api.php | Diff File | ||
|
master 050247c7 2011-08-11 07:40 Details Diff |
Add new database function to check identifier size The code fixing 0013227 was modified, to remove the str_replace that deletes the the hardcoded "_table" suffix from the table name. We rely instead on the user modifying the db prefix and suffix in their config_inc.php to keep them short enough (or even blank) so that we don't go over the 30 characters limit in Oracle. This is cleaner than arbitrarily changing the table in the code. Porting to 1.3 - Conflicts: core/database_api.php lang/strings_english.txt |
||
| mod - core/constant_inc.php | Diff File | ||
| mod - core/database_api.php | Diff File | ||
| mod - lang/strings_english.txt | Diff File | ||
