Changesets: MantisBT
|
master-1.2.x 1b277fc8 2010-02-09 22:45 Details Diff |
Fix 0011484: XSS on view_filters_page.php custom string field printing view_filters_page.php shows a dropdown list of all values for any given custom string field. An XSS vulnerability exists due to a lack of sanitisation of custom field values when printed via print_filter_custom_field() from filter_api.php. |
Affected Issues 0011484 |
|
| mod - core/filter_api.php | Diff File | ||
|
master 806582eb 2010-02-09 22:45 Details Diff |
Fix 0011484: XSS on view_filters_page.php custom string field printing view_filters_page.php shows a dropdown list of all values for any given custom string field. An XSS vulnerability exists due to a lack of sanitisation of custom field values when printed via print_filter_custom_field() from filter_api.php. |
Affected Issues 0011484 |
|
| mod - core/filter_api.php | Diff File | ||
|
master-1.2.x 6ede60d3 2010-02-09 18:48 Details Diff |
Fix 0011481: Don't show bug group actions that can't be used Currently the bug action group dropdown list on view_all_bug_page.php shows (almost) every available option, even if the current user isn't authorised to use those options. This patch implements checking to see which options are available to the user for the issues which are currently shown on view_all_bug_page.php. Options are only displayed in the dropdown list if the user is able to use the option on at least one of the bugs displayed. Additionally, the logic behind when selection checkboxes are shown alongside a bug has been improved. Checkboxes won't display next to bugs that the user cannot perform group actions on. Backported from master branch because it's needed to resolve an LFI/XSS issue in bug_actiongroup_ext.php. |
Affected Issues 0011481 |
|
| mod - core/bug_group_action_api.php | Diff File | ||
| mod - core/columns_api.php | Diff File | ||
| mod - core/print_api.php | Diff File | ||
| mod - my_view_inc.php | Diff File | ||
| mod - view_all_bug_page.php | Diff File | ||
| mod - view_all_inc.php | Diff File | ||
|
master eb562360 2010-02-08 09:54 Details Diff |
Issue 0010730: Use crypto_api for generating nonces and improve hashing A new Crypto API function crypto_generate_uri_safe_nonce has been added which generates base64 encoded URI safe alphabet nonces according to RFC4648. This nonce creation function can thus be used throughout MantisBT where we need a random nonce. The primary use at the moment is with form_api tokens. Hashing throughout the codebase has been improved to use the newly implemented $g_crypto_master_salt configuration option. This deprecates a number of older salt configuration options as we now derive salts from the master salt as needed. The Whirlpool hashing function is used to generate stronger hashes (instead of the original md5 hashing that is now deprecated). RSS keys, cookie strings, lost password confirmation hashes, CAPTCHA keys, form CSRF tokens and so forth have all been upgraded to make use of the new Crypto API infrastructure and better hashing/salting methods. |
Affected Issues 0010730 |
|
| mod - core/rss_api.php | Diff File | ||
| mod - make_captcha_img.php | Diff File | ||
| mod - docbook/adminguide/en/configuration.sgml | Diff File | ||
| mod - config_defaults_inc.php | Diff File | ||
| mod - core/form_api.php | Diff File | ||
| mod - core/authentication_api.php | Diff File | ||
| mod - core/obsolete.php | Diff File | ||
| mod - core/crypto_api.php | Diff File | ||
| mod - core/config_api.php | Diff File | ||
| mod - signup.php | Diff File | ||
| mod - signup_page.php | Diff File | ||
|
master 045a8970 2010-02-08 05:46 Details Diff |
Issue 0010730: Implement new crypto_api This implements the foundation of a new Cryptography API which is responsible for providing cryptography functionality to MantisBT. For now, the only feature available in this new API is the generation of secure and strong randomness using openssl_random_pseudo_bytes in PHP 5.3 (if available), /dev/urandom if available on the system or an enhanced mt_rand generator built on top of PHP's existing Mersenne Twister pseudo random number. We used to just rely on a single mt_rand() for generating nonces or providing other cryptographic functionality. This posed a number of problems including the leakage of the internal state of the Mersenne Twister PRNG, enabling users to predict all future outputs of the PRNG. Additionally, the total number of combinations available from mt_rand() is very small when in many cases we need more than a few million combinations of keys. The new approach calls mt_rand() multiple times and then using a secret unique salt known only to each MantisBT installation, hashes the output using the Whirlpool algorithm. This produces 512bits of output that can be used for creating a random string/nonce. If more than 512bits of output are required, we simply perform this operation multiple times until we have generated enough output. While the new Mersenne Twister method for generating random strings is still anything but strong or secure, it does raise the bar significantly. It is hoped that this method is only used as a last resort when no other options for generating strong randomness are available. A new configuration option $g_crypto_master_salt was also added to form the basis of salting and hashing functions in the future. Currently we use different keys for RSS, signup/lost password verification and so forth when it'd be much easier to just derive keys as needed from the master salt. If $g_crypto_master_salt is not defined by the user, MantisBT will refuse to work. This salt must be at least 16 characters long in the hope that users who don't understand the importance of setting a strong master salt are informed of their mistake. This refusal to work unless the user sets a strong $g_crypto_master_salt value in config_inc.php is necessary because it forms the basis for a lot of the security features implemented in MantisBT. We don't want users to forgetting to set $g_crypto_master_salt and using a default value known to the entire world. |
Affected Issues 0010730 |
|
| mod - core/constant_inc.php | Diff File | ||
| mod - admin/install.php | Diff File | ||
| mod - admin/upgrade_unattended.php | Diff File | ||
| mod - lang/strings_english.txt | Diff File | ||
| mod - core.php | Diff File | ||
| mod - admin/test_langs.php | Diff File | ||
| add - core/crypto_api.php | Diff File | ||
| mod - docbook/adminguide/en/configuration.sgml | Diff File | ||
| mod - config_defaults_inc.php | Diff File | ||
| mod - admin/check.php | Diff File | ||
|
master cca25660 2010-02-07 21:58 Details Diff |
Issue 0010059: Select 'duplicate' resolution automatically If a bug X has a duplicate_of relationship with another bug Y and bug X is resolved via bug_change_status_page.php, we should preselect the resolution as 'duplicate'. This commit also prevents the display of the duplicate bug ID field when an existing duplicate relationship exists. A new configuration option $g_bug_duplicate_resolution defines the default resolution that is used when bugs are resolved as being duplicates. |
Affected Issues 0010059 |
|
| mod - bug_change_status_page.php | Diff File | ||
| mod - config_defaults_inc.php | Diff File | ||
| mod - docbook/adminguide/en/configuration.sgml | Diff File | ||
|
master-1.2.x 8f92d886 2010-02-07 20:53 Details Diff |
Fix 0008539: Special characters not parsed correctly in RSS output PHP's DOMDocument::createTextNode automatically escapes special characters within the node value. Therefore we don't need to double escape these special characters (in particular, the ampersand) using string_rss_links(...) when PHP already does the escaping for us. Use of DOMDocument::createCDATASection doesn't escape special characters and thus we still need to use string_rss_links(...) to do our own escaping of the description field. |
Affected Issues 0008539 |
|
| mod - issues_rss.php | Diff File | ||
|
master aa058c53 2010-02-07 20:53 Details Diff |
Fix 0008539: Special characters not parsed correctly in RSS output PHP's DOMDocument::createTextNode automatically escapes special characters within the node value. Therefore we don't need to double escape these special characters (in particular, the ampersand) using string_rss_links(...) when PHP already does the escaping for us. Use of DOMDocument::createCDATASection doesn't escape special characters and thus we still need to use string_rss_links(...) to do our own escaping of the description field. |
Affected Issues 0008539 |
|
| mod - issues_rss.php | Diff File | ||
|
master-1.2.x 5f7cef9d 2010-02-07 20:08 Details Diff |
Fix 0011394: Lost password email not sent when user language is invalid When the language specified in the preferences for a user does not exist or is otherwise invalid (for example: when updating from previous versions of MantisBT), the lost password email is not sent to the user. This is probably because of lang_push( user_pref_get_language( user_id ) ) where user_pref_get_language can return false and lang_push expects a string (or null). |
Affected Issues 0011394 |
|
| mod - core/lang_api.php | Diff File | ||
| mod - core/user_pref_api.php | Diff File | ||
|
master c8e30df5 2010-02-07 20:08 Details Diff |
Fix 0011394: Lost password email not sent when user language is invalid When the language specified in the preferences for a user does not exist or is otherwise invalid (for example: when updating from previous versions of MantisBT), the lost password email is not sent to the user. This is probably because of lang_push( user_pref_get_language( user_id ) ) where user_pref_get_language can return false and lang_push expects a string (or null). |
Affected Issues 0011394 |
|
| mod - core/lang_api.php | Diff File | ||
| mod - core/user_pref_api.php | Diff File | ||
|
master-1.2.x b65591fd 2010-02-07 06:55 Details Diff |
Fix 0011449: Fix incorrect table name in db_get_table call In the 1.2.x branch of MantisBT, db_get_table expects a prefix of "mantis" and a suffix of "table". This was updated in the 1.3.x branch so that the prefix and suffix aren't used in calls to db_get_table. Commit 8a9f6d0593d78bc7b4cbe47c0444ba0d50d05fa2 was a backport of the same patch applied to the 1.3.x branch. In this backport, the db_get_table argument should have been changed to add the required "mantis" prefix and "table" suffix to the table name. |
Affected Issues 0011449 |
|
| mod - core/bug_api.php | Diff File | ||
|
master-1.2.x 185b4b26 2010-02-07 06:52 Details Diff |
Issue 0011375: Narrow down SQL SELECT to get minimum columns We only need to the user_id column, not bug_id or other columns in the bug_monitor table. |
Affected Issues 0011375 |
|
| mod - core/bug_api.php | Diff File | ||
|
master 83b89fcd 2010-02-07 06:52 Details Diff |
Issue 0011375: Narrow down SQL SELECT to get minimum columns We only need to the user_id column, not bug_id or other columns in the bug_monitor table. |
Affected Issues 0011375 |
|
| mod - core/bug_api.php | Diff File | ||
|
master-1.2.x d8309606 2010-02-02 01:44 Alexander Menk Committer: jreese Details Diff |
Honour enable_profiles on account page If enable_profiles is OFF, the link to the profile-management should not be shown. Signed-off-by: John Reese <jreese@leetcode.net> |
||
| mod - core/html_api.php | Diff File | ||
|
master 05478e96 2010-02-02 01:44 Alexander Menk Committer: jreese Details Diff |
Honour enable_profiles on account page If enable_profiles is OFF, the link to the profile-management should not be shown. Signed-off-by: John Reese <jreese@leetcode.net> |
||
| mod - core/html_api.php | Diff File | ||
|
master-1.2.x 237ce056 2010-01-31 02:29 Details Diff |
11444: 57% of queries are redundant when including two custom fields on View Issues page. |
Affected Issues 0011444 |
|
| mod - core/custom_field_api.php | Diff File | ||
|
master c9d783ce 2010-01-31 02:29 Details Diff |
11444: 57% of queries are redundant when including two custom fields on View Issues page. |
Affected Issues 0011444 |
|
| mod - core/custom_field_api.php | Diff File | ||
|
master-1.2.x 9a55e85c 2010-01-27 11:07 Details Diff |
Fix 0011041: set_status_threshold doesn't work on a per-project basis We currently use access_get_status_threshold() inside access_api.php to do all checks based on the set_status_threshold configuration option. Hence this function works on a global level. It accepts a project ID argument but doesn't actually use it! This commit also fixes up some issues with the change status option lists with respect to per-project configuration of set_status_threshold. |
Affected Issues 0011041 |
|
| mod - core/print_api.php | Diff File | ||
| mod - bug_change_status_page.php | Diff File | ||
| mod - core/access_api.php | Diff File | ||
| mod - core/html_api.php | Diff File | ||
|
master c0bdd8c9 2010-01-27 11:07 Details Diff |
Fix 0011041: set_status_threshold doesn't work on a per-project basis We currently use access_get_status_threshold() inside access_api.php to do all checks based on the set_status_threshold configuration option. Hence this function works on a global level. It accepts a project ID argument but doesn't actually use it! This commit also fixes up some issues with the change status option lists with respect to per-project configuration of set_status_threshold. |
Affected Issues 0011041 |
|
| mod - core/access_api.php | Diff File | ||
| mod - core/print_api.php | Diff File | ||
| mod - bug_change_status_page.php | Diff File | ||
| mod - core/html_api.php | Diff File | ||
|
master-1.2.x 764989fc 2010-01-25 01:27 Details Diff |
Fix 0011420: 'Loading...' string for AJAX controls isn't translatable The 'Loading...' string within ajax.js should be translatable into different languages. |
Affected Issues 0011420 |
|
| mod - javascript/dev/ajax.js | Diff File | ||
| mod - javascript/min/ajax.js | Diff File | ||
| mod - core/html_api.php | Diff File | ||
|
master 8bc6b668 2010-01-25 01:27 Details Diff |
Fix 0011420: 'Loading...' string for AJAX controls isn't translatable The 'Loading...' string within ajax.js should be translatable into different languages. |
Affected Issues 0011420 |
|
| mod - javascript/dev/ajax.js | Diff File | ||
| mod - javascript/min/ajax.js | Diff File | ||
| mod - core/html_api.php | Diff File | ||
|
master 91049c21 2010-01-25 01:18 Details Diff |
Incorrect include filename in xmlhttprequest.php Commit 2d5455cce290531359a55d353010258c6f3f6f34 had an incorrect filename included within xmlhttprequest.php |
||
| mod - xmlhttprequest.php | Diff File | ||
|
master-1.2.x 2f42c6a0 2010-01-25 00:56 Details Diff |
Fix 0011426: Time tracking stopwatch strings not translatable The strings used for the old inbuilt time tracking stopwatch feature need to be translatable. |
Affected Issues 0011426 |
|
| mod - javascript/dev/time_tracking_stopwatch.js | Diff File | ||
| mod - bugnote_add_inc.php | Diff File | ||
| mod - javascript/min/time_tracking_stopwatch.js | Diff File | ||
| mod - lang/strings_english.txt | Diff File | ||
|
master 18c52001 2010-01-25 00:56 Details Diff |
Fix 0011426: Time tracking stopwatch strings not translatable The strings used for the old inbuilt time tracking stopwatch feature need to be translatable. |
Affected Issues 0011426 |
|
| mod - lang/strings_english.txt | Diff File | ||
| mod - javascript/dev/time_tracking_stopwatch.js | Diff File | ||
| mod - javascript/min/time_tracking_stopwatch.js | Diff File | ||
| mod - bugnote_add_inc.php | Diff File | ||
|
master-1.2.x 4beb15aa 2010-01-25 00:40 Details Diff |
Fix 0011429: 'Attachment missing' not translatable The string 'attachment missing' should be translatable in the language files. |
Affected Issues 0011429 |
|
| mod - core/print_api.php | Diff File | ||
| mod - lang/strings_english.txt | Diff File | ||
