Changesets: MantisBT

master 743a7dc2

2018-04-25 12:39:45

dregad

Details Diff
Merge branch 'master-2.13'
Attach Issues:
mod - bug_report.php Diff File
mod - bug_report_page.php Diff File

master-1.3.x 5cbf97f4

2018-04-25 12:31:45

dregad

Details Diff
Prevent cloning private issues by unauthorized users

Using a crafted request on bug_report_page.php (modifying the 'm_id'
parameter), any user with REPORTER access or above is able to view any
private issue's details (summary, description, steps to reproduce,
additional information) when cloning. By checking the 'Copy issue notes'
and 'Copy attachments' checkboxes and completing the clone operation,
this data also becomes public (except private notes).

Credits to Mustafa Hasan (strukt) strukt93@gmail.com for the finding.

@atrol noted that the same vulnerability also existed in bug_report.php,
although in this case the information disclosure is limited to notes and
attachments (issue data itself does not become accessible).

Added an access level check, so that the operation now fails with an
Access Denied error in both cases.

Backported from 1fbcd9bca2f2c77cb61624d36ddee4b3802c38ea
Fixes 0024365, CVE-2018-9839
Affected Issues
0024365
mod - bug_report.php Diff File
mod - bug_report_page.php Diff File

master 1fbcd9bc

2018-04-25 12:31:45

dregad

Details Diff
Prevent cloning private issues by unauthorized users

Using a crafted request on bug_report_page.php (modifying the 'm_id'
parameter), any user with REPORTER access or above is able to view any
private issue's details (summary, description, steps to reproduce,
additional information) when cloning. By checking the 'Copy issue notes'
and 'Copy attachments' checkboxes and completing the clone operation,
this data also becomes public (except private notes).

Credits to Mustafa Hasan (strukt) strukt93@gmail.com for the finding.

@atrol noted that the same vulnerability also existed in bug_report.php,
although in this case the information disclosure is limited to notes and
attachments (issue data itself does not become accessible).

Added an access level check, so that the operation now fails with an
Access Denied error in both cases.

Fixes 0024221, CVE-2018-9839
Prevent cloning private issues by unauthorized users

Using a crafted request on bug_report_page.php (modifying the 'm_id'
parameter), any user with REPORTER access or above is able to view any
private issue's details (summary, description, steps to reproduce,
additional information) when cloning. By checking the 'Copy issue notes'
and 'Copy attachments' checkboxes and completing the clone operation,
this data also becomes public (except private notes).

Added an access level check, so that the operation now fails with an
Access Denied error.

Credits to Mustafa Hasan (strukt) strukt93@gmail.com for the finding.

Fixes 0024221
Affected Issues
0024221
mod - bug_report.php Diff File
mod - bug_report_page.php Diff File

master 9e2daf94

2018-04-23 02:58:25

translatewiki.net

Details Diff
Localisation updates from https://translatewiki.net.
Attach Issues:
mod - lang/strings_icelandic.txt Diff File
add - plugins/Gravatar/lang/strings_icelandic.txt Diff File
add - plugins/MantisCoreFormatting/lang/strings_icelandic.txt Diff File
mod - plugins/MantisGraph/lang/strings_icelandic.txt Diff File
add - plugins/XmlImportExport/lang/strings_icelandic.txt Diff File

master f03ce567

2018-04-19 03:26:55

translatewiki.net

Details Diff
Localisation updates from https://translatewiki.net.
Attach Issues:
mod - lang/strings_ukrainian.txt Diff File

master c29aeb95

2018-04-18 17:25:38

atrol

Details Diff
Correct default value of my_view_boxes in Admin Guide

Fixes 0024326
Affected Issues
0024326
mod - docbook/Admin_Guide/en-US/config/myview.xml Diff File

master 65b8bff7

2018-04-18 17:09:36

atrol

Details Diff
Remove unused function filter_exists

No need to deprecate as the function didn't work.
There is a call of function filter_cache_row that doesn't exist.

Issue 0024325
Affected Issues
0024325
mod - core/filter_api.php Diff File

master 41543f15

2018-04-18 15:16:18

atrol

Details Diff
Remove unused local variables

Issue 0024325
Affected Issues
0024325
mod - core/classes/FilterConverter.class.php Diff File
mod - core/commands/IssueFileAddCommand.php Diff File
mod - core/commands/IssueFileGetCommand.php Diff File
mod - core/commands/IssueNoteAddCommand.php Diff File
mod - core/filter_api.php Diff File
mod - core/filter_form_api.php Diff File

master 6107c8db

2018-04-18 14:58:00

atrol

Details Diff
PHPdoc fixes

Issue 0024325
Affected Issues
0024325
mod - core/classes/DbQuery.class.php Diff File
mod - core/classes/FilterConverter.class.php Diff File
mod - core/relationship_api.php Diff File

master e6c18698

2018-04-17 02:27:03

dregad

Details Diff
Merge remote-tracking branch 'origin/master-2.13'

# Conflicts:
# core/constant_inc.php
Attach Issues:
mod - core/email_api.php Diff File
mod - docbook/Admin_Guide/en-US/Revision_History.xml Diff File
mod - docbook/Developers_Guide/en-US/Revision_History.xml Diff File
mod - plugins/MantisCoreFormatting/core/MantisMarkdown.php Diff File

master 7bc6b579

2018-04-16 16:49:50

atrol

Details Diff
Remove soap folder check

Fixes 0024236
Affected Issues
0024236
mod - admin/check/check_paths_inc.php Diff File

master 6084c10a

2018-04-12 09:29:00

translatewiki.net

Details Diff
Localisation updates from https://translatewiki.net.
Attach Issues:
mod - lang/strings_czech.txt Diff File

master 9b22d21d

2018-04-12 03:20:50

translatewiki.net

Details Diff
Localisation updates from https://translatewiki.net.
Attach Issues:
mod - lang/strings_greek.txt Diff File
mod - plugins/MantisCoreFormatting/lang/strings_greek.txt Diff File
mod - plugins/MantisGraph/lang/strings_greek.txt Diff File

master-2.13 88913cb3

2018-04-11 04:13:24

atrol

Details Diff
Use rgb color values for Markdown quote styling

Workaround as using hex values for colors starting with # introduces
unwanted side effects.

Fixes 0024233
Affected Issues
0024233
mod - plugins/MantisCoreFormatting/core/MantisMarkdown.php Diff File

master-2.13 8fd2701b

2018-04-09 16:34:14

atrol

Details Diff
Send always usernames in email notifications

Don't send realnames if $g_show_realname = ON;

This is a quick workaround as a clean solution needs some redesign.

At the moment $g_show_user_realname_threshold is considered based
on the current user.
This is wrong, as the option must be considered based on the
recipient of the notification.

Fixes 0024239
Affected Issues
0024239
mod - core/email_api.php Diff File

master 879c064c

2018-04-09 02:24:07

translatewiki.net

Details Diff
Localisation updates from https://translatewiki.net.
Attach Issues:
mod - lang/strings_greek.txt Diff File
mod - lang/strings_luxembourgish.txt Diff File
mod - plugins/MantisCoreFormatting/lang/strings_greek.txt Diff File
mod - plugins/MantisGraph/lang/strings_greek.txt Diff File
mod - plugins/XmlImportExport/lang/strings_greek.txt Diff File

master 64617111

2018-04-05 03:27:00

translatewiki.net

Details Diff
Localisation updates from https://translatewiki.net.
Attach Issues:
mod - lang/strings_belarusian_tarask.txt Diff File
mod - lang/strings_chinese_simplified.txt Diff File
mod - lang/strings_chinese_traditional.txt Diff File
mod - lang/strings_french.txt Diff File
mod - lang/strings_german.txt Diff File
mod - lang/strings_greek.txt Diff File
mod - lang/strings_korean.txt Diff File
mod - lang/strings_macedonian.txt Diff File
mod - lang/strings_portuguese_brazil.txt Diff File
mod - lang/strings_portuguese_standard.txt Diff File
mod - lang/strings_russian.txt Diff File
mod - lang/strings_skr-arab.txt Diff File
mod - lang/strings_swedish.txt Diff File
mod - plugins/Gravatar/lang/strings_korean.txt Diff File
mod - plugins/MantisCoreFormatting/lang/strings_korean.txt Diff File
mod - plugins/MantisGraph/lang/strings_korean.txt Diff File

master-2.12 1a7582c2

2018-04-04 10:09:29

vboctor

Details Diff
Update release to `2.12.2`
Attach Issues:
mod - core/constant_inc.php Diff File
mod - docbook/Admin_Guide/en-US/Revision_History.xml Diff File
mod - docbook/Developers_Guide/en-US/Revision_History.xml Diff File

master-2.13 42d36df1

2018-04-04 10:06:28

vboctor

Details Diff
Update version to `2.13.1`
Attach Issues:
mod - core/constant_inc.php Diff File
mod - docbook/Admin_Guide/en-US/Revision_History.xml Diff File
mod - docbook/Developers_Guide/en-US/Revision_History.xml Diff File

master 7d938299

2018-04-04 07:24:15

atrol

Details Diff
Correct default value of datetime_picker_format in Admin Guide

Fixes 0024220
Affected Issues
0024220
mod - docbook/Admin_Guide/en-US/config/date.xml Diff File

master 2797bdb8

2018-04-03 07:33:29

vboctor

Details Diff
Update dependencies

- Updating nikic/fast-route (v1.2.0 => v1.3.0)
- Updating pimple/pimple (v3.2.2 => v3.2.3)
- Updating slim/slim (3.8.1 => 3.9.2)
- Updating guzzlehttp/guzzle (6.3.0 => 6.3.2)
- Updating webmozart/assert (1.2.0 => 1.3.0)
- Updating phpspec/prophecy (v1.7.2 => 1.7.5)
- Updating phpunit/php-file-iterator (1.4.2 => 1.4.5)
- Updating phpunit/php-token-stream (1.4.11 => 1.4.12)
- Updating symfony/yaml (v2.8.28 => v2.8.37)

Fixes 0024196, 0024197
Affected Issues
0024196, 0024197
mod - composer.lock Diff File

master b68c98c0

2018-04-03 06:27:03

atrol

Details Diff
Merge branch 'master-2.13'
Attach Issues:
mod - plugins/MantisCoreFormatting/MantisCoreFormatting.php Diff File

master-2.13 7f60968e

2018-04-02 05:17:26

atrol

Details Diff
Correct links for mentions, issues and notes

Links are not correct rendered if Markdown is enabled

Fixes 0024202
Affected Issues
0024202
mod - plugins/MantisCoreFormatting/MantisCoreFormatting.php Diff File

master-2.12 c731e8bf

2018-04-02 05:17:26

atrol

Details Diff
Correct links for mentions, issues and notes

Links are not correct rendered if Markdown is enabled

Fixes 0024201
Affected Issues
0024201
mod - plugins/MantisCoreFormatting/MantisCoreFormatting.php Diff File

master 9087df77

2018-04-01 04:01:23

atrol

Details Diff
Update version to `2.14.0-dev`
Attach Issues:
mod - core/constant_inc.php Diff File
1 2 3 4 ... 60 ... 120 ... 180 ... 240 ... 300 ... 360 ... 420 ... 480 ... 540 ... 590 591 592  Next  Last