Changesets: MantisBT
|
master-1.2.x 317f3db3 2011-08-18 03:43 Details Diff |
Fix 0013245: XSS issues with search.php parameters Net.Edit0r (Net.Edit0r@Att.net) from BlACK Hat Group [http://black-hg.org] posted a vulnerability report for an XSS issue in search.php for MantisBT 1.2.6. The full report is available at http://packetstormsecurity.org/files/104149 filter_api.php is the culprit for this vulnerability as it passes user supplied search parameters back into output without first escaping the values. It should be noted that numerous other XSS vulnerabilities (all related) have been fixed with this patch. In other words, it is not just the project_id parameter to search.php that was affected - it was numerous other parameters/fields as well. The second SQL injection vulnerability identified by Net.Edit0r is invalid because the only time we ever make reference to "mbadmin" in the source code is: core.php: if ( file_exists( 'mantis_offline.php' ) && !isset( $_GET['mbadmin'] ) ) This usage is safe because nothing is ever done with $_GET['mbadmin']. It may be the case that the user's customised version of mantis_offline.php was incorrectly dumping the value of $_GET['mbadmin'] to the screen. The default/sample mantis_offline.php has been checked and does not print any dynamically created strings/user supplied values. |
Affected Issues 0013245 |
|
| mod - core/filter_api.php | Diff File | ||
|
master b531419a 2011-08-16 06:17 Committer: dregad Details Diff |
Fixed datetime literal format and bug with removing 'AS' from string literals Tests passed with MySQL and Oracle. Oracle installation reqires only changing: 1. $g_db_table_suffix: Just as planned, to reduce object name length 2. $g_db_type: because of config_get_global( 'db_type' ) returns 'mysql' on installation stage |
||
| mod - admin/schema.php | Diff File | ||
| mod - core/database_api.php | Diff File | ||
|
master fe9da540 2011-08-15 22:53 Details Diff |
Merge pull request #10 from MarcinKleczek/master Replace require_once call with require_api in bug_actiongroup.php |
Affected Issues 0013237 |
|
| mod - bug_actiongroup.php | Diff File | ||
|
master adb0b818 2011-08-15 07:33 Marcin KÅeczek Details Diff |
Changed require_once to required_api for bug_api.php |
Affected Issues 0013237 |
|
| mod - bug_actiongroup.php | Diff File | ||
|
master-1.2.x 9869270e 2011-08-15 00:37 Details Diff |
Localisation updates from http://translatewiki.net. | ||
| mod - lang/strings_belarusian_tarask.txt | Diff File | ||
| mod - lang/strings_breton.txt | Diff File | ||
| mod - lang/strings_chinese_traditional.txt | Diff File | ||
| mod - lang/strings_dutch.txt | Diff File | ||
| mod - lang/strings_french.txt | Diff File | ||
| mod - lang/strings_galician.txt | Diff File | ||
| mod - lang/strings_german.txt | Diff File | ||
| mod - lang/strings_hebrew.txt | Diff File | ||
| mod - lang/strings_interlingua.txt | Diff File | ||
| mod - lang/strings_macedonian.txt | Diff File | ||
| mod - lang/strings_norwegian_bokmal.txt | Diff File | ||
| mod - lang/strings_polish.txt | Diff File | ||
| mod - lang/strings_portuguese_brazil.txt | Diff File | ||
| mod - lang/strings_russian.txt | Diff File | ||
| mod - lang/strings_slovene.txt | Diff File | ||
| mod - lang/strings_spanish.txt | Diff File | ||
| mod - plugins/MantisGraph/lang/strings_chinese_traditional.txt | Diff File | ||
|
master 321e0356 2011-08-11 09:05 Details Diff |
Align with coding standards Renamed the new oracle-specific functions introduced to fix 0013227; implement various minor changes to comply with coding standards (spaces/tabs, braces, variable names...) |
Affected Issues 0013227 |
|
| mod - core/database_api.php | Diff File | ||
|
master 6efe0721 2011-08-11 07:59 Details Diff |
Add new database function db_is_oracle() Follows the same logic as for other RDBMS. The new function is used instead of hardcoded tests like $GLOBALS['g_db_type'] == 'oci8' Affects 0013227 Porting to 1.3 - Conflicts: core/database_api.php |
||
| mod - core/database_api.php | Diff File | ||
|
master 050247c7 2011-08-11 07:40 Details Diff |
Add new database function to check identifier size The code fixing 0013227 was modified, to remove the str_replace that deletes the the hardcoded "_table" suffix from the table name. We rely instead on the user modifying the db prefix and suffix in their config_inc.php to keep them short enough (or even blank) so that we don't go over the 30 characters limit in Oracle. This is cleaner than arbitrarily changing the table in the code. Porting to 1.3 - Conflicts: core/database_api.php lang/strings_english.txt |
||
| mod - core/constant_inc.php | Diff File | ||
| mod - core/database_api.php | Diff File | ||
| mod - lang/strings_english.txt | Diff File | ||
|
master 5a84e9db 2011-08-11 07:25 Details Diff |
Add new global config for plugin table prefix This allows users on Oracle to shorten the table identifier, to avoid hitting the 30-char size limit. Also modified comments for the existing db prefix/suffix to explain that they should be blank or shortened for Oracle. Affects 0013227 Porting to 1.3 - Conflicts: config_defaults_inc.php core/plugin_api.php |
Affected Issues 0013227 |
|
| mod - config_defaults_inc.php | Diff File | ||
| mod - core/plugin_api.php | Diff File | ||
|
master a89e9c61 2011-08-10 09:32 Details Diff |
Oracle support: revised schema.php to avoid schema version increase Commit 9098615ccc028bee92c84e169353051b90aa1f20 introduced some schema changes to fix Issues 0013227, which is not acceptable in a maintenance release. The code was amended to avoid that. Porting to 1.3 - Conflicts: admin/schema.php |
Affected Issues 0013227 |
|
| mod - admin/schema.php | Diff File | ||
|
master 2ce60e47 2011-08-10 08:34 Details Diff |
Fix 0013227: Oracle database support (oci8) Mantis 1.2.6 currently does not work with Oracle DB: 1. Installation: 1.1. Oracle DB autocreates PK, so index creation for same field forbidden 1.2. Oracle DB uses datetime literal format timestamp'YYYY-MM-DD HH-MI:SS' 1.3. Oracle DB don't allows altering field property NOT NULL into NOT NULL 1.4. Oracle DB max object length is 30 chars, so some index names must be reduced 1.5. Oracle DB means empty string as NULLs, so NOT NULL restriction must be disabled for some field 1.6. Oracle DB can resolve database server name through TNS, so database name cannot be required 2. General: 2.2. Direct DB query execution result accessing instead of db_fetch_array() 1.3. usage didn't works with Oracle DB 2.4. Oracle DB binds variable by name, so bind names in statement must be sorted to address them. 2.5. Oracle DB handles NULL/DEFAULT values with specific way. 2.6. Oracle DB returns NULL value as true PHP null 2.7. Oracle DB handles sequence access with specific syntax 2.8. Nothing returned by db_prepare_string() in case of oci8 2.9. Oracle DB max object length is 30 chars, so table names must be reduced 2.10. Oracle DB uses LOB literal format similar to mssql 2.11. GetRowAssoc returns empty field values with oci8, it's need to enable returning both associative and indexed arrays. The original patch was provided by DKuranov. He reckons that this also resolves issues 0006853, 0007644, 0010437, 0010996, 0011265, 0011270, 0011276, 0012152, 0012478 Porting to 1.3 - Conflicts: admin/install.php admin/schema.php core/database_api.php manage_tags_page.php |
Affected Issues 0006853, 0007644, 0010437, 0010996, 0011265, 0011270, 0011276, 0012152, 0012478, 0013227 |
|
| mod - admin/install.php | Diff File | ||
| mod - admin/schema.php | Diff File | ||
| mod - core/database_api.php | Diff File | ||
|
master 96532dbe 2011-08-10 00:10 Details Diff |
Fix 0013228: SQL error in bugnote_api.php with PostgreSQL ERROR: column "u.realname" must appear in the GROUP BY clause or be used in an aggregate function Bug was introduced in release 1.2.6, commit c4c0a01e1f715aea775a36d3a6c7bc8bd74b5b8b. A new column was added to 2 SQL statements' SELECT clause, but the GROUP BY was not updated to match. This passed testing, as MySQL is more (too?) permissive and allows the SELECT clause to refer to ungrouped columns that are not in aggregate functions. This commit also removes unnecessary "u.id" column from the group by clause. |
Affected Issues 0013228 |
|
| mod - core/bugnote_api.php | Diff File | ||
|
master-1.2.x c6ab7a0c 2011-08-10 00:10 Details Diff |
Fix 0013228: SQL error in bugnote_api.php with PostgreSQL ERROR: column "u.realname" must appear in the GROUP BY clause or be used in an aggregate function Bug was introduced in release 1.2.6, commit c4c0a01e1f715aea775a36d3a6c7bc8bd74b5b8b. A new column was added to 2 SQL statements' SELECT clause, but the GROUP BY was not updated to match. This passed testing, as MySQL is more (too?) permissive and allows the SELECT clause to refer to ungrouped columns that are not in aggregate functions. This commit also removes unnecessary "u.id" column from the group by clause. |
Affected Issues 0013228 |
|
| mod - core/bugnote_api.php | Diff File | ||
|
master bcfdfff8 2011-08-09 02:51 Details Diff |
Fix 0011458: Missing attachments can not be deleted |
Affected Issues 0011458 |
|
| add - 12x | Diff File | ||
| mod - core/print_api.php | Diff File | ||
|
master-1.2.x 9ff8adc9 2011-08-09 02:30 Details Diff |
Fix 0011458: Missing attachments cannot be deleted |
Affected Issues 0011458 |
|
| mod - core/print_api.php | Diff File | ||
|
master 3d4d79e3 2011-08-09 01:47 Details Diff |
Verify that file upload path is writable in installation check | ||
| mod - admin/check/check_paths_inc.php | Diff File | ||
|
master-2.0.x e2044ac7 2011-08-09 01:47 Damien Regad Committer: Paul Richards Details Diff |
Verify that file upload path is writable in installation check | ||
| mod - admin/check/check_paths_inc.php | Diff File | ||
|
master 895a592f 2011-08-09 01:29 Details Diff |
Fix 0013226: Installation check should verify that default file upload path has trailing / Add config option absolute_path_default_upload_folder to the list of paths to validate in check_paths_inc.php |
Affected Issues 0013226 |
|
| mod - admin/check/check_paths_inc.php | Diff File | ||
|
master 0b449f92 2011-08-09 00:02 Details Diff |
Fix 0013225: Inconsistent handling of project file upload path Create a new function in project api to handle the file path validation and move the code comparing project file path check vs default path currently in manage_proj_create.php into the new function. The function is called from both project_create and project_update to ensure consistent behavior. |
Affected Issues 0013225 |
|
| mod - core/project_api.php | Diff File | ||
| mod - manage_proj_create.php | Diff File | ||
|
master-1.2.x bde53a02 2011-08-08 23:58 Details Diff |
Fix 0013226: check.php should verify that default file upload path has trailing / |
Affected Issues 0013226 |
|
| mod - admin/check.php | Diff File | ||
|
master-1.2.x b569cae8 2011-08-08 23:21 Details Diff |
Fix 0013225: Inconsistent handling of project file upload path Create a new function in project api to handle the file path validation and move the code comparing project file path check vs default path currently in manage_proj_create.php into the new function. The function is called from both project_create and project_update to ensure consistent behavior. |
Affected Issues 0013225 |
|
| mod - core/project_api.php | Diff File | ||
| mod - manage_proj_create.php | Diff File | ||
|
next ed74dae7 2011-08-04 19:04 Details Diff |
Fixes 0013190: View page doesn't honor view_handler_threshold threshold. The issue handler shows up in the following areas: - The 'assigned to' field. - The issue history. |
Affected Issues 0013190 |
|
| mod - application/core/history_api.php | Diff File | ||
| mod - public/bug_view_inc.php | Diff File | ||
|
master-1.2.x 3d91625b 2011-08-04 18:50 Details Diff |
Fixes 0013190: View page doesn't honor view_handler_threshold threshold. - Follow fix to add missing parameter in API call. |
Affected Issues 0013190 |
|
| mod - core/history_api.php | Diff File | ||
|
master ee169f73 2011-08-04 18:50 Details Diff |
Fixes 0013190: View page doesn't honor view_handler_threshold threshold. - Follow fix to add missing parameter in API call. |
Affected Issues 0013190 |
|
| mod - core/history_api.php | Diff File | ||
|
master-1.2.x 6d8faa56 2011-08-02 05:13 Details Diff |
Fix 0013181: Remove obsolete ldap_port from ldap_api.php See 655d959848d4f45edef48ae4e3099f4f411d8113 |
Affected Issues 0013181 |
|
| mod - core/ldap_api.php | Diff File | ||
