Search Changesets
|
MantisBT: master 69b9ada3 2018-05-13 09:03 Details Diff |
Catch unserialize errors in install_check_token_serialization() Instead of just choking on invalid data when unserializing it (and possibly display a PHP notice, depending on error reporting settings), we now catch the error and display a friendly and useful error message. |
||
| mod - core/install_helper_functions_api.php | Diff File | ||
|
MantisBT: master 5d544109 2018-05-13 08:53 Details Diff |
Catch unserialize errors in install_check_config_serialization() Instead of just choking on invalid data when unserializing it (and possibly display a PHP notice, depending on error reporting settings), we now catch the error and display a friendly and useful error message. |
||
| mod - core/install_helper_functions_api.php | Diff File | ||
|
MantisBT: master 6a8e1ccb 2018-05-13 08:53 Details Diff |
Catch unserialize errors in install_stored_filter_migrate() Instead of just choking on invalid data when unserializing it (and possibly display a PHP notice, depending on error reporting settings), we now catch the error and display a friendly and useful error message. This also fixes a potential error when handling invalid JSON, since json_decode() returns null (not false) in this case. |
||
| mod - core/install_helper_functions_api.php | Diff File | ||
|
MantisBT: master 21d13755 2018-05-13 08:51 Details Diff |
New safe_unserialize() utility function When given invalid data, unserialize() throws a PHP notice; this function relies on error_convert_to_exception() custom error handler to throw an Exception instead. |
||
| mod - core/utility_api.php | Diff File | ||
|
MantisBT: master b3b5cc4a 2018-05-13 08:45 Details Diff |
New error_convert_to_exception() function This is a simplistic error handler to convert PHP errors to Exceptions. It is used to temporarily override the default error handler, when it is required to catch a PHP error (e.g. when unserializing data in install helper functions). |
||
| mod - core/error_api.php | Diff File | ||
|
MantisBT: master f68362c8 2018-05-10 00:25 translatewiki.net Details Diff |
Localisation updates from https://translatewiki.net. | ||
| mod - lang/strings_dutch.txt | Diff File | ||
| mod - lang/strings_greek.txt | Diff File | ||
| mod - lang/strings_macedonian.txt | Diff File | ||
| mod - lang/strings_spanish.txt | Diff File | ||
| mod - plugins/MantisGraph/lang/strings_macedonian.txt | Diff File | ||
|
MantisBT: master d7ca6fa8 2018-05-06 23:40 Details Diff |
Fix generic error when anonymous login not defined When $g_allow_anonymous_login = ON and $g_anonymous_account = '', a Generic error is triggered in auth_flags() when trying to login anonymously. This is due to the fact that $p_user_id parameter is false in this case. To prevent this, the function now performs a loose-type check on the user id, so MantisBT returns to the login page with a friendlier error message "Your account may be disabled or blocked or the username/password you entered is incorrect." Fixes 0025061 |
Affected Issues 0025061 |
|
| mod - core/authentication_api.php | Diff File | ||
|
MantisBT: master 91782fe0 2018-05-06 23:10 Details Diff |
Anonymous login requires account to be set To enable anonymous login, we need both allow_anonymous_login and the anonymous_account to be set. The former without the latter results in a MantisBT generic error when trying to login anonymously, as login.php is called with an empty username. Fixes 0025061 |
Affected Issues 0025061 |
|
| mod - core/authentication_api.php | Diff File | ||
|
MantisBT: master 7aa805ea 2018-05-06 02:21 Details Diff |
Fix Class 'ClientException' not found in issue api Issue 0024398 |
Affected Issues 0024398 |
|
| mod - api/soap/mc_issue_api.php | Diff File | ||
|
MantisBT: master 2c2449b2 2018-05-04 18:14 Details Diff |
Create project version via REST API - Create a command for adding a project version. - Update web UI to use command to add project versions - Update SOAP API to add a project version - Create a REST API to add a project version Fixes 0024388 |
Affected Issues 0024388 |
|
| mod - api/rest/restcore/projects_rest.php | Diff File | ||
| mod - api/soap/mc_project_api.php | Diff File | ||
| add - core/commands/VersionAddCommand.php | Diff File | ||
| mod - core/version_api.php | Diff File | ||
| mod - manage_proj_ver_add.php | Diff File | ||
|
MantisBT: master 3812c5f6 2018-05-03 11:02 Details Diff |
Fix Class 'ClientException' not found in tag api Fixes 0024398 |
Affected Issues 0024398 |
|
| mod - api/soap/mc_tag_api.php | Diff File | ||
|
MantisBT: master 2d60e8c7 2018-05-02 23:30 translatewiki.net Details Diff |
Localisation updates from https://translatewiki.net. | ||
| mod - lang/strings_polish.txt | Diff File | ||
| mod - plugins/MantisGraph/lang/strings_polish.txt | Diff File | ||
|
MantisBT: master 58345c19 2018-04-29 22:31 Details Diff |
Update version to `2.15.0-dev` | ||
| mod - core/constant_inc.php | Diff File | ||
|
MantisBT: master 26c7a847 2018-04-29 22:27 translatewiki.net Details Diff |
Localisation updates from https://translatewiki.net. | ||
| mod - lang/strings_luxembourgish.txt | Diff File | ||
|
MantisBT: master-1.3.x 59121dde 2018-04-29 15:01 Details Diff |
Update version to `1.3.15` | ||
| mod - core/constant_inc.php | Diff File | ||
| mod - docbook/Admin_Guide/en-US/Revision_History.xml | Diff File | ||
| mod - docbook/Developers_Guide/en-US/Revision_History.xml | Diff File | ||
|
MantisBT: master 384bdf3b 2018-04-29 14:51 Details Diff |
Update version to `2.14.0` | ||
| mod - core/constant_inc.php | Diff File | ||
| mod - docbook/Admin_Guide/en-US/Revision_History.xml | Diff File | ||
| mod - docbook/Developers_Guide/en-US/Revision_History.xml | Diff File | ||
|
MantisBT: master 9edadd21 2018-04-29 14:47 Details Diff |
Update credits | ||
| mod - doc/CREDITS | Diff File | ||
|
MantisBT: master-2.13 337f60c5 2018-04-29 14:45 Details Diff |
Update version to `2.13.2` | ||
| mod - core/constant_inc.php | Diff File | ||
| mod - docbook/Admin_Guide/en-US/Revision_History.xml | Diff File | ||
| mod - docbook/Developers_Guide/en-US/Revision_History.xml | Diff File | ||
|
MantisBT: master e257b280 2018-04-27 16:43 Details Diff |
Merge remote-tracking branch 'origin/master-2.13' | ||
| mod - api/soap/mc_project_api.php | Diff File | ||
| mod - core/classes/FilterConverter.class.php | Diff File | ||
| mod - core/filter_api.php | Diff File | ||
|
MantisBT: master a96bf279 2018-04-27 06:01 Details Diff |
Merge branch 'master-2.13' | ||
| mod - core.php | Diff File | ||
| mod - core/commands/IssueNoteAddCommand.php | Diff File | ||
| mod - core/file_api.php | Diff File | ||
|
MantisBT: master 743a7dc2 2018-04-25 08:39 Details Diff |
Merge branch 'master-2.13' | ||
| mod - bug_report.php | Diff File | ||
| mod - bug_report_page.php | Diff File | ||
|
MantisBT: master 1fbcd9bc 2018-04-25 08:31 Details Diff |
Prevent cloning private issues by unauthorized users Using a crafted request on bug_report_page.php (modifying the 'm_id' parameter), any user with REPORTER access or above is able to view any private issue's details (summary, description, steps to reproduce, additional information) when cloning. By checking the 'Copy issue notes' and 'Copy attachments' checkboxes and completing the clone operation, this data also becomes public (except private notes). Credits to Mustafa Hasan (strukt) strukt93@gmail.com for the finding. @atrol noted that the same vulnerability also existed in bug_report.php, although in this case the information disclosure is limited to notes and attachments (issue data itself does not become accessible). Added an access level check, so that the operation now fails with an Access Denied error in both cases. Fixes 0024221, CVE-2018-9839 Prevent cloning private issues by unauthorized users Using a crafted request on bug_report_page.php (modifying the 'm_id' parameter), any user with REPORTER access or above is able to view any private issue's details (summary, description, steps to reproduce, additional information) when cloning. By checking the 'Copy issue notes' and 'Copy attachments' checkboxes and completing the clone operation, this data also becomes public (except private notes). Added an access level check, so that the operation now fails with an Access Denied error. Credits to Mustafa Hasan (strukt) strukt93@gmail.com for the finding. Fixes 0024221 |
Affected Issues 0024221 |
|
| mod - bug_report.php | Diff File | ||
| mod - bug_report_page.php | Diff File | ||
|
MantisBT: master-1.3.x 5cbf97f4 2018-04-25 08:31 Details Diff |
Prevent cloning private issues by unauthorized users Using a crafted request on bug_report_page.php (modifying the 'm_id' parameter), any user with REPORTER access or above is able to view any private issue's details (summary, description, steps to reproduce, additional information) when cloning. By checking the 'Copy issue notes' and 'Copy attachments' checkboxes and completing the clone operation, this data also becomes public (except private notes). Credits to Mustafa Hasan (strukt) strukt93@gmail.com for the finding. @atrol noted that the same vulnerability also existed in bug_report.php, although in this case the information disclosure is limited to notes and attachments (issue data itself does not become accessible). Added an access level check, so that the operation now fails with an Access Denied error in both cases. Backported from 1fbcd9bca2f2c77cb61624d36ddee4b3802c38ea Fixes 0024365, CVE-2018-9839 |
Affected Issues 0024365 |
|
| mod - bug_report.php | Diff File | ||
| mod - bug_report_page.php | Diff File | ||
|
MantisBT: master-2.13 e92176ef 2018-04-24 23:56 Details Diff |
Correct attachment handling when adding notes Fixing a SYSTEM WARNING on PHP 7.2 'count(): Parameter must be an array or an object that implements Countable' Fixes 0024355 |
Affected Issues 0024355 |
|
| mod - core/commands/IssueNoteAddCommand.php | Diff File | ||
| mod - core/file_api.php | Diff File | ||
|
MantisBT: master d6b1afe8 2018-04-24 17:51 Details Diff |
Don’t auto-set status when explicitly set by user Fixes 0024242 |
Affected Issues 0024242 |
|
| mod - bug_update.php | Diff File | ||
