Changesets: MantisBT
|
master 01270e48 2009-12-01 00:50 Details Diff |
Fix 0011237: XSS on tag_view_page.php with user Real Name field The user real name field is not sanitised before being printed on tag_view_page.php thus exposing an XSS vulnerability. |
Affected Issues 0011237 |
|
| mod - tag_view_page.php | Diff File | ||
|
master-1.2.x 8491dbdf 2009-12-01 00:50 Details Diff |
Fix 0011237: XSS on tag_view_page.php with user Real Name field The user real name field is not sanitised before being printed on tag_view_page.php thus exposing an XSS vulnerability. |
Affected Issues 0011237 |
|
| mod - tag_view_page.php | Diff File | ||
|
master bb920bf5 2009-12-01 00:41 Details Diff |
Fix 0011236: XSS on view_all_bug_page.php with user Real Name field If a user is selected in one of the user filters (reporter, monitored by, etc) and that user has a name containing HTML elements, the HTML elements would not be escaped prior to displaying them as the currently selected filter options. |
Affected Issues 0011236 |
|
| mod - core/filter_api.php | Diff File | ||
|
master-1.2.x 4cb58c70 2009-12-01 00:41 Details Diff |
Fix 0011236: XSS on view_all_bug_page.php with user Real Name field If a user is selected in one of the user filters (reporter, monitored by, etc) and that user has a name containing HTML elements, the HTML elements would not be escaped prior to displaying them as the currently selected filter options. |
Affected Issues 0011236 |
|
| mod - core/filter_api.php | Diff File | ||
|
master a49cc3ce 2009-12-01 00:31 Details Diff |
Fix 0011233: XSS on adm_config_report.php with user Real Name field User real names were not sanitised on adm_config_report.php thus leading to XSS attacks against those with permission to access the configuration of a Mantis installation (typcially Administrators only). |
Affected Issues 0011233 |
|
| mod - adm_config_report.php | Diff File | ||
|
master-1.2.x 92561bce 2009-12-01 00:31 Details Diff |
Fix 0011233: XSS on adm_config_report.php with user Real Name field User real names were not sanitised on adm_config_report.php thus leading to XSS attacks against those with permission to access the configuration of a Mantis installation (typcially Administrators only). |
Affected Issues 0011233 |
|
| mod - adm_config_report.php | Diff File | ||
|
master 810ae079 2009-12-01 00:25 Details Diff |
Fix 0011232: XSS on summary_page.php with user Real Name field User real names should be sanitised before being printed to summary_page.php as it may be possible for the names to contain HTML elements that allow for XSS attacks. |
Affected Issues 0011232 |
|
| mod - core/summary_api.php | Diff File | ||
|
master-1.2.x c23edbfb 2009-12-01 00:25 Details Diff |
Fix 0011232: XSS on summary_page.php with user Real Name field User real names should be sanitised before being printed to summary_page.php as it may be possible for the names to contain HTML elements that allow for XSS attacks. |
Affected Issues 0011232 |
|
| mod - core/summary_api.php | Diff File | ||
|
master b1bc26eb 2009-12-01 00:14 Details Diff |
Fix 0011235: XSS on manage_tags_page.php with user Real Name field The "Real Name" field for users is not sanitised before being printed to manage_tags_page.php thus leading to a XSS vulnerability. |
Affected Issues 0011235 |
|
| mod - manage_tags_page.php | Diff File | ||
|
master-1.2.x 42e3640a 2009-12-01 00:14 Details Diff |
Fix 0011235: XSS on manage_tags_page.php with user Real Name field The "Real Name" field for users is not sanitised before being printed to manage_tags_page.php thus leading to a XSS vulnerability. |
Affected Issues 0011235 |
|
| mod - manage_tags_page.php | Diff File | ||
|
master-1.1.x c6f356da 2009-11-30 20:29 Details Diff |
Fix 0011229: Fix tagging XSS scripting vulnerabilities Tag names and descriptions were not properly sanitised before being written to HTML output. This meant that it was possible for users to create tags containing Javascript that is executed on every load of view_all_bug_page (and elsewhere) for all users. Thanks to Michel Arboi from Tenable Network Security (Nessus) for reporting this issue. This is a backport of 70b5022f556c9b9b6b0cd661e3357767a3b178c5 |
Affected Issues 0011229 |
|
| mod - tag_update_page.php | Diff File | ||
| mod - tag_view_page.php | Diff File | ||
| mod - core/print_api.php | Diff File | ||
| mod - core/filter_api.php | Diff File | ||
|
master-1.2.x d36359cf 2009-11-30 19:56 Details Diff |
Fix 0011229: Fix tagging XSS scripting vulnerabilities Tag names and descriptions were not properly sanitised before being written to HTML output. This meant that it was possible for users to create tags containing Javascript that is executed on every load of view_all_bug_page (and elsewhere) for all users. Thanks to Michel Arboi from Tenable Network Security (Nessus) for reporting this issue. |
Affected Issues 0011229 |
|
| mod - tag_update_page.php | Diff File | ||
| mod - core/filter_api.php | Diff File | ||
| mod - tag_view_page.php | Diff File | ||
| mod - core/print_api.php | Diff File | ||
|
master 70b5022f 2009-11-30 19:56 Details Diff |
Fix 0011229: Fix tagging XSS scripting vulnerabilities Tag names and descriptions were not properly sanitised before being written to HTML output. This meant that it was possible for users to create tags containing Javascript that is executed on every load of view_all_bug_page (and elsewhere) for all users. Thanks to Michel Arboi from Tenable Network Security (Nessus) for reporting this issue. |
Affected Issues 0011229 |
|
| mod - core/print_api.php | Diff File | ||
| mod - core/filter_api.php | Diff File | ||
| mod - tag_update_page.php | Diff File | ||
| mod - tag_view_page.php | Diff File | ||
|
master-1.2.x ff7f362f 2009-11-30 12:40 Details Diff |
Issue 0004843: Implemented improved text filtering The free text filter box now searches for individual terms in the field separately, obeys quoting patterns, and allows for negation. All terms found are required to be found somewhere in the issue (or not found anywhere for negated terms) in order for the issue to match the filter. Example searches and their expected results: bus car Should find any issue that mentions both "bus" and "car" "micro computer" Should find any issue that mentions "micro computer" exactly; this matches the existing search behaviors apple -banana Should find any issue that mentions "apple" but has no mention of "banana" circuit -"power line" Should find any issue that mentions "circuit" but has no mention of "power line" |
Affected Issues 0004843 |
|
| mod - core/filter_api.php | Diff File | ||
|
master 60a4d24a 2009-11-30 12:40 Details Diff |
Issue 0004843: Implemented improved text filtering The free text filter box now searches for individual terms in the field separately, obeys quoting patterns, and allows for negation. All terms found are required to be found somewhere in the issue (or not found anywhere for negated terms) in order for the issue to match the filter. Example searches and their expected results: bus car Should find any issue that mentions both "bus" and "car" "micro computer" Should find any issue that mentions "micro computer" exactly; this matches the existing search behaviors apple -banana Should find any issue that mentions "apple" but has no mention of "banana" circuit -"power line" Should find any issue that mentions "circuit" but has no mention of "power line" |
Affected Issues 0004843 |
|
| mod - core/filter_api.php | Diff File | ||
|
master 8d482274 2009-11-28 17:59 Details Diff |
Localisation updates from translatewiki.net | ||
| mod - lang/strings_french.txt | Diff File | ||
| mod - lang/strings_portuguese_brazil.txt | Diff File | ||
| mod - lang/strings_hungarian.txt | Diff File | ||
| mod - lang/strings_russian.txt | Diff File | ||
| mod - lang/strings_spanish.txt | Diff File | ||
| mod - lang/strings_german.txt | Diff File | ||
| mod - lang/strings_swissgerman.txt | Diff File | ||
| mod - lang/strings_dutch.txt | Diff File | ||
| mod - lang/strings_galician.txt | Diff File | ||
| mod - lang/strings_ripoarisch.txt | Diff File | ||
| mod - lang/strings_arabic.txt | Diff File | ||
| mod - lang/strings_japanese.txt | Diff File | ||
|
master-1.2.x 7dc11790 2009-11-24 17:16 Details Diff |
Fixes 0011156: Restore the advanced flag in CustomFieldDefinitionData This change was done entirely for backwards compatibility reasons and will not be ported to the master branch. |
Affected Issues 0011156 |
|
| mod - api/soap/mantisconnect.php | Diff File | ||
|
master d91387b1 2009-11-24 17:16 Details Diff |
Fixes 0011156: Restore the advanced flag in CustomFieldDefinitionData This change was done entirely for backwards compatibility reasons and will not be ported to the master branch. |
Affected Issues 0011156 |
|
| mod - api/soap/mantisconnect.php | Diff File | ||
|
master-1.2.x b22e7167 2009-11-23 22:12 Details Diff |
Add missing space at top of bug list table | ||
| mod - view_all_inc.php | Diff File | ||
|
master fbbc2d01 2009-11-23 22:12 Details Diff |
Add missing space at top of bug list table | ||
| mod - view_all_inc.php | Diff File | ||
|
master 1e87c208 2009-11-23 22:06 Details Diff |
Cleanup Max. Size label placement for attachments | ||
| mod - proj_doc_add_page.php | Diff File | ||
| mod - bug_report_page.php | Diff File | ||
| mod - bug_file_upload_inc.php | Diff File | ||
| mod - lang/strings_english.txt | Diff File | ||
| mod - proj_doc_edit_page.php | Diff File | ||
|
master 81dd8e66 2009-11-23 21:49 Details Diff |
Add missing strings Commit abf8704e4dac1edd5d62474f900964041d15ce3a left behind some missing strings that caused errors. This commit fixes a few missing strings and etc that I found. |
||
| mod - lang/strings_english.txt | Diff File | ||
| mod - core/filter_api.php | Diff File | ||
|
master-1.2.x c59ad8a6 2009-11-23 07:21 Details Diff |
Cleanup use of ampersands in internally generated URLs This should fix a number of bugs related to invalid links (created by confusion about whether to use & or & in internal URLs). We should only apply htmlspecialchars() or similar at output time, assuming we want HTML output from Mantis. Internally, it is best to just use & to separate arguments in GET HTTP URLs. There are still a few ugly bits of code that haven't been updated because to do so would require extensive rewriting in some sections. And in time, the print_ and html_ API is probably going to be deprecated by use of a templating engine so there is little point rewriting something that'll only get overhauled later. This commit is the backport to the 1.2.x branch because it fixes a few bugs here and there. Conflicts: main_page.php |
Affected Issues 0011272 |
|
| mod - login_select_proj_page.php | Diff File | ||
| mod - api/soap/mc_issue_api.php | Diff File | ||
| mod - core/string_api.php | Diff File | ||
| mod - project_page.php | Diff File | ||
| mod - news_update.php | Diff File | ||
| mod - main_page.php | Diff File | ||
| mod - account_prefs_reset.php | Diff File | ||
| mod - login.php | Diff File | ||
| mod - core/user_api.php | Diff File | ||
| mod - api/soap/mc_project_api.php | Diff File | ||
| mod - core/print_api.php | Diff File | ||
| mod - query_view_page.php | Diff File | ||
| mod - manage_proj_delete.php | Diff File | ||
| mod - core/relationship_api.php | Diff File | ||
| mod - login_page.php | Diff File | ||
| mod - login_anon.php | Diff File | ||
| mod - core/html_api.php | Diff File | ||
| mod - manage_user_delete.php | Diff File | ||
| mod - manage_user_page.php | Diff File | ||
| mod - core/file_api.php | Diff File | ||
| mod - bug_view_inc.php | Diff File | ||
| mod - roadmap_page.php | Diff File | ||
| mod - manage_proj_page.php | Diff File | ||
| mod - bug_actiongroup_ext.php | Diff File | ||
| mod - manage_user_prune.php | Diff File | ||
| mod - adm_config_report.php | Diff File | ||
| mod - core/form_api.php | Diff File | ||
| mod - print_all_bug_page_word.php | Diff File | ||
| mod - print_all_bug_page.php | Diff File | ||
| mod - bug_relationship_graph.php | Diff File | ||
| mod - core/relationship_graph_api.php | Diff File | ||
| mod - core/rss_api.php | Diff File | ||
| mod - my_view_inc.php | Diff File | ||
| mod - tag_update_page.php | Diff File | ||
| mod - core/ajax_api.php | Diff File | ||
| mod - view_filters_page.php | Diff File | ||
| mod - verify.php | Diff File | ||
| mod - bugnote_view_inc.php | Diff File | ||
| mod - manage_proj_edit_page.php | Diff File | ||
| mod - changelog_page.php | Diff File | ||
| mod - print_bug_page.php | Diff File | ||
| mod - core/columns_api.php | Diff File | ||
| mod - core/tag_api.php | Diff File | ||
| mod - core/filter_api.php | Diff File | ||
| mod - set_project.php | Diff File | ||
| mod - excel_xml_export.php | Diff File | ||
|
master 0c9b5cd5 2009-11-23 07:00 Details Diff |
Cleanup use of ampersands in internally generated URLs This should fix a number of bugs related to invalid links (created by confusion about whether to use & or & in internal URLs). We should only apply htmlspecialchars() or similar at output time, assuming we want HTML output from Mantis. Internally, it is best to just use & to separate arguments in GET HTTP URLs. There are still a few ugly bits of code that haven't been updated because to do so would require extensive rewriting in some sections. And in time, the print_ and html_ API is probably going to be deprecated by use of a templating engine so there is little point rewriting something that'll only get overhauled later. |
Affected Issues 0011272 |
|
| mod - print_all_bug_page_word.php | Diff File | ||
| mod - bug_relationship_graph.php | Diff File | ||
| mod - login_select_proj_page.php | Diff File | ||
| mod - core/string_api.php | Diff File | ||
| mod - project_page.php | Diff File | ||
| mod - news_update.php | Diff File | ||
| mod - manage_user_delete.php | Diff File | ||
| mod - account_prefs_reset.php | Diff File | ||
| mod - login.php | Diff File | ||
| mod - bugnote_view_inc.php | Diff File | ||
| mod - query_view_page.php | Diff File | ||
| mod - core/relationship_api.php | Diff File | ||
| mod - adm_config_report.php | Diff File | ||
| mod - login_anon.php | Diff File | ||
| mod - core/html_api.php | Diff File | ||
| mod - core/filter_api.php | Diff File | ||
| mod - api/soap/mc_project_api.php | Diff File | ||
| mod - bug_view_inc.php | Diff File | ||
| mod - manage_user_prune.php | Diff File | ||
| mod - view_filters_page.php | Diff File | ||
| mod - manage_proj_page.php | Diff File | ||
| mod - core/file_api.php | Diff File | ||
| mod - core/form_api.php | Diff File | ||
| mod - manage_proj_delete.php | Diff File | ||
| mod - roadmap_page.php | Diff File | ||
| mod - core/user_api.php | Diff File | ||
| mod - api/soap/mc_issue_api.php | Diff File | ||
| mod - print_all_bug_page.php | Diff File | ||
| mod - core/relationship_graph_api.php | Diff File | ||
| mod - core/rss_api.php | Diff File | ||
| mod - my_view_inc.php | Diff File | ||
| mod - tag_update_page.php | Diff File | ||
| mod - core/ajax_api.php | Diff File | ||
| mod - verify.php | Diff File | ||
| mod - core/tag_api.php | Diff File | ||
| mod - manage_proj_edit_page.php | Diff File | ||
| mod - core/print_api.php | Diff File | ||
| mod - manage_user_page.php | Diff File | ||
| mod - print_bug_page.php | Diff File | ||
| mod - changelog_page.php | Diff File | ||
| mod - core/columns_api.php | Diff File | ||
| mod - main_page.php | Diff File | ||
| mod - login_page.php | Diff File | ||
| mod - bug_actiongroup_ext.php | Diff File | ||
| mod - set_project.php | Diff File | ||
| mod - excel_xml_export.php | Diff File | ||
|
master-1.1.x 8ecb5fa4 2009-11-22 07:37 Details Diff |
Fix 0011026: Fix XSS bug in view_filters_page.php Fix a parsing/validation error whereby a target_field input of the form "status[]<script>bad_code();</script>" would be printed directly to HTML, thus leading to a XSS vulnerability. |
Affected Issues 0011206 |
|
| mod - view_filters_page.php | Diff File | ||
