Changesets: MantisBT
master 7291c07b 2014-10-18 13:22 Details Diff |
Revert "CSS: Remove uppercase transform on menu headings" This reverts commit c1feb96ab3ee8ad7e6e4a7f1a0d986b763510ef3. |
||
mod - css/default.css | Diff File | ||
master 215e78b4 2014-10-18 13:22 Details Diff |
Revert "CSS: Remove uppercase transform on menu headings" This reverts commit c1feb96ab3ee8ad7e6e4a7f1a0d986b763510ef3. |
||
mod - css/default.css | Diff File | ||
master 8016c301 2014-10-18 13:22 Details Diff |
Revert "CSS: Remove uppercase transform on menu headings" This reverts commit c1feb96ab3ee8ad7e6e4a7f1a0d986b763510ef3. |
||
mod - css/default.css | Diff File | ||
master b0d0c9dc 2014-10-17 15:22 Paul Richards Committer: dregad Details Diff |
Additional timezone init fixes Implements additional fixes submitted by grangeway in PR 0000387 - Set installer_db_now() timezone to UTC - Remove timezone_identifiers_list() existence checks These checks are obsolete, there were implemented to cover RHEL/CentOS under PHP 5.1 and we now require 5.3. - Travis: set timezone to UTC Signed-off-by: Damien Regad <dregad@mantisbt.org> |
||
mod - account_prefs_update.php | Diff File | ||
mod - admin/schema.php | Diff File | ||
mod - core/print_api.php | Diff File | ||
mod - scripts/travis_before_script.sh | Diff File | ||
master 23aecac3 2014-10-17 10:14 Paul Richards Committer: vboctor Details Diff |
Fixes 0017783: New Event: EVENT_MANAGE_VERSION_DELETE Add new event: EVENT_MANAGE_VERSION_DELETE These events allow plugins to log or 'block' a version or project deletion, as they occur prior to any version or project deletion. This could be used to allow synchronisation with a 3rd party system, to deny the deletion of specific projects/versions, or to provide auditing/event logging. |
Affected Issues 0017782 |
|
mod - core/events_inc.php | Diff File | ||
mod - core/version_api.php | Diff File | ||
mod - docbook/Developers_Guide/en-US/Events_Reference_Manage.xml | Diff File | ||
master 42e7ed02 2014-10-17 10:13 Paul Richards Committer: vboctor Details Diff |
New Event: EVENT_MANAGE_PROJECT_DELETE Add new event: EVENT_MANAGE_PROJECT_DELETE These events allow plugins to process or 'block' a project deletion, as they occur prior to any version or project deletion. This could be used to allow synchronisation with a 3rd party system, to deny the deletion of specific projects. Fixes 0017783 Signed-off-by: Victor Boctor <victor@mantishub.net> |
Affected Issues 0017783 |
|
mod - core/events_inc.php | Diff File | ||
mod - core/project_api.php | Diff File | ||
mod - docbook/Developers_Guide/en-US/Events_Reference_Manage.xml | Diff File | ||
master 7d3dd430 2014-10-17 07:21 Details Diff |
XML plugin: Add config page with access thresholds Prior to this, any user of a MantisBT instance with the XML Import/Export plugin enabled and knowing the URL to the plugin's import page could upload an XML file and insert data without restriction, regardless of their access level. This vulnerability is particularly dangerous when used in combination with the one described in issue 0017725 (CVE-2014-7146) as it makes for a very simple and easily accessible vector for PHP code injection attacks. There was also no access check when exporting data, which could allow an attacker to gain access to confidential information (disclosure of all bug-related data, including usernames). Fixes 0017780 (CVE-2014-8598) |
Affected Issues 0017725, 0017780 |
|
mod - plugins/XmlImportExport/XmlImportExport.php | Diff File | ||
mod - plugins/XmlImportExport/lang/strings_english.txt | Diff File | ||
add - plugins/XmlImportExport/pages/config.php | Diff File | ||
add - plugins/XmlImportExport/pages/config_page.php | Diff File | ||
mod - plugins/XmlImportExport/pages/export.php | Diff File | ||
mod - plugins/XmlImportExport/pages/import.php | Diff File | ||
master-1.2.x 80a15487 2014-10-17 07:21 Details Diff |
XML plugin: Add config page with access thresholds Prior to this, any user of a MantisBT instance with the XML Import/Export plugin enabled and knowing the URL to the plugin's import page could upload an XML file and insert data without restriction, regardless of their access level. This vulnerability is particularly dangerous when used in combination with the one described in issue 0017725 (CVE-2014-7146) as it makes for a very simple and easily accessible vector for PHP code injection attacks. There was also no access check when exporting data, which could allow an attacker to gain access to confidential information (disclosure of all bug-related data, including usernames). Fixes 0017780 (CVE-2014-8598) |
Affected Issues 0017725, 0017780 |
|
mod - plugins/XmlImportExport/XmlImportExport.php | Diff File | ||
mod - plugins/XmlImportExport/lang/strings_english.txt | Diff File | ||
add - plugins/XmlImportExport/pages/config.php | Diff File | ||
add - plugins/XmlImportExport/pages/config_page.php | Diff File | ||
mod - plugins/XmlImportExport/pages/export.php | Diff File | ||
mod - plugins/XmlImportExport/pages/import.php | Diff File | ||
master-1.2.x 74ac9bfc 2014-10-16 14:11 Paul Richards Committer: dregad Details Diff |
Fix: Javascript error in extended project browser | ||
mod - core/print_api.php | Diff File | ||
master 74f3cb3a 2014-10-15 20:54 Details Diff |
Refactor override reporter access check - Refactored the check in mc_issue_add() and mc_issue_note_add(). - Added TODOs to add the test cases to SOAP API when it is possible to add users via SOAP. |
||
mod - api/soap/mc_issue_api.php | Diff File | ||
master 2ffc3393 2014-10-15 15:58 Details Diff |
Whitespace | ||
mod - plugins/XmlImportExport/ImportXml.php | Diff File | ||
mod - plugins/XmlImportExport/ImportXml/Issue.php | Diff File | ||
mod - plugins/XmlImportExport/ImportXml/Mapper.php | Diff File | ||
mod - plugins/XmlImportExport/mantis.dtd | Diff File | ||
master b8b307d7 2014-10-15 15:54 Details Diff |
XML Import: HTML/CSS fixes | ||
mod - css/default.css | Diff File | ||
mod - plugins/XmlImportExport/pages/import.php | Diff File | ||
master 2d82b243 2014-10-15 15:39 Details Diff |
New BugData object due_date should be blank Prior to this, the due_date field was initialized to 0, causing the date to be incorrectly preset to 1970-01-01 00:00 UTC. Fixes 0017847 |
Affected Issues 0017847 |
|
mod - core/bug_api.php | Diff File | ||
master-1.2.x 1cba70e6 2014-10-15 15:39 Details Diff |
New BugData object due_date should be blank Prior to this, the due_date field was initialized to 0, causing the date to be incorrectly preset to 1970-01-01 00:00 UTC. Backport from master 2d82b2430922e6bc0ac733007792955c92a4df05 Fixes 0017847 |
Affected Issues 0017847 |
|
mod - core/bug_api.php | Diff File | ||
master 03aa6d5f 2014-10-15 14:19 Details Diff |
XML import plugin: replace links in 'steps to reproduce' Duplicates logic used to process links for 'description' field. Fixes 0017775 |
Affected Issues 0017775 |
|
mod - library/adodb | Diff File | ||
mod - plugins/XmlImportExport/ImportXml.php | Diff File | ||
master aea1a348 2014-10-15 14:16 Details Diff |
XML import plugin does not process links There was an error in the if statement logic in ImportXML::import(), due to an incorrectly placed closing parenthesis, the replace statement was never executed. Fixes 0017774 |
Affected Issues 0017774 |
|
mod - plugins/XmlImportExport/ImportXml.php | Diff File | ||
master 9a29f27e 2014-10-14 07:20 Details Diff |
Revised admin check for $g_default_timezone - Clarification of messages, added links to PHP documentation - When default timezone is null, issue warning instead of failure and indicate defaulting to UTC |
||
mod - admin/check/check_i18n_inc.php | Diff File | ||
master 86ff189c 2014-10-14 07:18 Details Diff |
Update documentation for $g_default_timezone | ||
mod - config_defaults_inc.php | Diff File | ||
mod - docbook/Admin_Guide/en-US/config/timezone.xml | Diff File | ||
master 6d0b96cb 2014-10-14 06:38 Details Diff |
Fix timezone initialization in core.php Prior to this, core.php would trigger a PHP warning on PHP >= 5.3 when date_default_timezone_get() is not able to determine the timezone and defaults to UTC (e.g. when php.ini date.timezone is not set). The timezone is determined in the following order 1. user preferences 2. MantisBT configuration ($g_default_timezone) 3. php.ini setting (date.timezone) 4. UTC (set by date_default_timezone_get()) Fixes 0017747 |
Affected Issues 0017747 |
|
mod - core.php | Diff File | ||
mod - core/date_api.php | Diff File | ||
master f350dbcf 2014-10-14 03:13 Details Diff |
Fix 0017751: add 'UTC' to timezone selection list Also fixes the list for timezones containing a '/' in the name (e.g. Argentina/xxx) |
Affected Issues 0017751 |
|
mod - core/print_api.php | Diff File | ||
master d7ff5e14 2014-10-13 14:19 Paul Richards Details Diff |
phpdoc compress_api.php: remove incorrect @uses statement | ||
mod - core/compress_api.php | Diff File | ||
master 91871704 2014-10-12 14:48 Details Diff |
Document 'webservice_specify_reporter_...' config | ||
mod - docbook/Admin_Guide/en-US/Configuration.xml | Diff File | ||
master 666b56c7 2014-10-12 14:38 Committer: vboctor Details Diff |
Fix 0012541: mc_issue_note_add function not honoring reporter data When using the function mc_issue_note_add() the submitted reporter data aren't used. This fixes allows users with 'webservice_specify_reporter_on_add_access_level_threshold' access level to override reporter when submitting notes. This makes it consistent with mc_issue_add() api. |
Affected Issues 0012541 |
|
mod - api/soap/mc_issue_api.php | Diff File | ||
master bd317e36 2014-10-12 12:21 Paul Richards Details Diff |
Add check to ensure php fastcgi handler sets SCRIPT_NAME | ||
mod - admin/check/check_php_inc.php | Diff File | ||
master 13264a7c 2014-10-12 02:51 Paul Richards Details Diff |
Add ability to skip display of submenus | ||
mod - core/authentication_api.php | Diff File | ||
mod - core/html_api.php | Diff File |