Search Changesets
MantisBT: master 9ef8f23a 2020-06-22 02:55 Details Diff |
Fix XSS in view_all_bug_page.php (CVE-2020-16266) Hanno Boeck reported a stored cross-site scripting (XSS) vulnerability, originally discovered by Jaime Andres Restrepo. Improper escaping on view_all_bug_page.php allowed a remote attacker to inject arbitrary HTML into the page by saving it into a text Custom Field, leading to possible code execution in the browser of any user subsequently viewing the issue (if CSP settings allow it). Prevent the attack by properly escaping the custom field's contents before display. Fixes 0027056 |
Affected Issues 0027056 |
|
mod - core/filter_form_api.php | Diff File | ||
MantisBT: master b44c09c1 2020-06-18 11:19 translatewiki.net Details Diff |
Localisation updates from https://translatewiki.net. | ||
mod - lang/strings_polish.txt | Diff File | ||
MantisBT: dependabot/composer/guzzlehttp/guzzle-6.5.5 f8ce05ed 2020-06-16 22:25 dependabot-preview[bot] Details Diff |
Bump guzzlehttp/guzzle from 6.5.4 to 6.5.5 Bumps [guzzlehttp/guzzle](https://github.com/guzzle/guzzle) from 6.5.4 to 6.5.5. - [Release notes](https://github.com/guzzle/guzzle/releases) - [Changelog](https://github.com/guzzle/guzzle/blob/6.5.5/CHANGELOG.md) - [Commits](https://github.com/guzzle/guzzle/compare/6.5.4...6.5.5) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> |
||
mod - composer.lock | Diff File | ||
MantisBT: master 5a96213e 2020-06-11 21:25 Details Diff |
Create a Cronjob script and plugin event This way there is one cronjob script to execute which triggers an event, then all plugins can hook into it. Fixes 0027882 |
Affected Issues 0027882 |
|
mod - core/events_inc.php | Diff File | ||
mod - docbook/Developers_Guide/en-US/Events_Reference.xml | Diff File | ||
add - scripts/cronjob.php | Diff File | ||
MantisBT: master efb44e48 2020-06-11 09:26 translatewiki.net Details Diff |
Localisation updates from https://translatewiki.net. | ||
mod - lang/strings_belarusian_tarask.txt | Diff File | ||
mod - lang/strings_portuguese_standard.txt | Diff File | ||
MantisBT: master 6f340058 2020-06-08 07:08 translatewiki.net Details Diff |
Localisation updates from https://translatewiki.net. | ||
mod - lang/strings_chinese_simplified.txt | Diff File | ||
MantisBT: master 5100efa1 2020-06-04 07:51 translatewiki.net Details Diff |
Localisation updates from https://translatewiki.net. | ||
mod - lang/strings_hungarian.txt | Diff File | ||
MantisBT: master 778af390 2020-06-03 01:17 dependabot-preview[bot] Details Diff |
Bump guzzlehttp/guzzle from 6.5.3 to 6.5.4 Bumps [guzzlehttp/guzzle](https://github.com/guzzle/guzzle) from 6.5.3 to 6.5.4. - [Release notes](https://github.com/guzzle/guzzle/releases) - [Changelog](https://github.com/guzzle/guzzle/blob/6.5.4/CHANGELOG.md) - [Commits](https://github.com/guzzle/guzzle/compare/6.5.3...6.5.4) Fixes 0026919, PR https://github.com/mantisbt/mantisbt/pull/1675 Signed-off-by: dependabot-preview[bot] <support@dependabot.com> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com> |
Affected Issues 0026919 |
|
mod - composer.lock | Diff File | ||
MantisBT: master f9a43406 2020-06-03 00:57 Details Diff |
Merge branch 'master-2.24' # Conflicts: # composer.lock # core/constant_inc.php |
||
mod - composer.lock | Diff File | ||
mod - docbook/Admin_Guide/en-US/Revision_History.xml | Diff File | ||
mod - docbook/Developers_Guide/en-US/Revision_History.xml | Diff File | ||
MantisBT: master-2.24 2fc66610 2020-06-03 00:55 Details Diff |
Bump phpmailer/phpmailer from 6.1.5 to 6.1.6 Includes security fix for CVE-2020-13625: Insufficient output escaping of attachment names [1] - [Release notes](https://github.com/PHPMailer/PHPMailer/releases) - [Changelog](https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md) - [Commits](PHPMailer/PHPMailer@v6.1.5...v6.1.6) Fixes 0027003 [1]: https://github.com/advisories/GHSA-f7hx-fqxw-rvvj |
Affected Issues 0027003 |
|
mod - composer.lock | Diff File | ||
MantisBT: master b1d78e73 2020-06-01 12:33 translatewiki.net Details Diff |
Localisation updates from https://translatewiki.net. | ||
mod - lang/strings_arabic.txt | Diff File | ||
mod - lang/strings_luxembourgish.txt | Diff File | ||
mod - lang/strings_zazaki.txt | Diff File | ||
MantisBT: master b162f8fb 2020-05-28 07:56 Details Diff |
Fix TOO_MANY_REDIRECTS on bug_report_page.php There is a redirection loop on bug_report_page.php, when the default project rights have been removed for a viewer user. Fixes 0026988 |
Affected Issues 0026988 |
|
mod - bug_report_page.php | Diff File | ||
MantisBT: dependabot/composer/phpmailer/phpmailer-6.1.6 51d28833 2020-05-27 11:14 dependabot-preview[bot] Details Diff |
[Security] Bump phpmailer/phpmailer from 6.1.5 to 6.1.6 Bumps [phpmailer/phpmailer](https://github.com/PHPMailer/PHPMailer) from 6.1.5 to 6.1.6. **This update includes a security fix.** - [Release notes](https://github.com/PHPMailer/PHPMailer/releases) - [Changelog](https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md) - [Commits](https://github.com/PHPMailer/PHPMailer/compare/v6.1.5...v6.1.6) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> |
||
mod - composer.lock | Diff File | ||
MantisBT: master 28163284 2020-05-26 07:09 translatewiki.net Details Diff |
Localisation updates from https://translatewiki.net. | ||
mod - lang/strings_eo.txt | Diff File | ||
mod - lang/strings_korean.txt | Diff File | ||
mod - lang/strings_macedonian.txt | Diff File | ||
mod - lang/strings_russian.txt | Diff File | ||
mod - lang/strings_turkish.txt | Diff File | ||
MantisBT: master cd2246c5 2020-05-25 23:38 Details Diff |
MantisGraph: Update chart.js to 2.9.3 Fixes 0027124 |
Affected Issues 0027124 |
|
mod - plugins/MantisGraph/MantisGraph.php | Diff File | ||
rm - plugins/MantisGraph/files/Chart-2.8.0.min.js | Diff | ||
add - plugins/MantisGraph/files/Chart-2.9.3.min.js | Diff File | ||
MantisBT: master 4e82e3a5 2020-05-25 23:36 Details Diff |
MantisGraph: stop using chart.js bundled build The plugin currently links both chart.js and chart-bundle.js, which is not necessary. The latter includes Moment.js, which is already part of MantisBT since 2.0 (see layout_body_javascript() function), so using the stand-alone build should be sufficient. According to documentation [[1]] this could cause compatibility issues. Fixes 0027123 [1]: https://www.chartjs.org/docs/latest/getting-started/installation.html#bundled-build |
Affected Issues 0027123 |
|
mod - plugins/MantisGraph/MantisGraph.php | Diff File | ||
rm - plugins/MantisGraph/files/Chart.bundle-2.8.0.min.js | Diff | ||
MantisBT: dependabot/composer/guzzlehttp/guzzle-6.5.4 3eace93f 2020-05-25 22:41 dependabot-preview[bot] Details Diff |
Bump guzzlehttp/guzzle from 6.5.3 to 6.5.4 Bumps [guzzlehttp/guzzle](https://github.com/guzzle/guzzle) from 6.5.3 to 6.5.4. - [Release notes](https://github.com/guzzle/guzzle/releases) - [Changelog](https://github.com/guzzle/guzzle/blob/6.5.4/CHANGELOG.md) - [Commits](https://github.com/guzzle/guzzle/compare/6.5.3...6.5.4) Signed-off-by: dependabot-preview[bot] <support@dependabot.com> |
||
mod - composer.lock | Diff File | ||
MantisBT: master a1453788 2020-05-25 08:42 Details Diff |
MantisGraph: new method to load chart.js resources Since MantisBT 2.8.0, MantisGraph only loads chart.js for its own pages. This prevents other plugins from accessing these resources to publish their own charts, unless they bundle chart.js themselves. This commit exposes a dedicated public method include_chartjs() to include the library, separately from the plugin's standard resources() function. Fixes 0027122 |
Affected Issues 0027122 |
|
mod - plugins/MantisGraph/MantisGraph.php | Diff File | ||
MantisBT: master 3aef726c 2020-05-23 18:57 Details Diff |
Fix handling of `allow_reporter_close` Fixes 0026920 |
Affected Issues 0026920 |
|
mod - core/commands/IssueViewPageCommand.php | Diff File | ||
MantisBT: master af7f8dcb 2020-05-21 03:06 Details Diff |
Composer: add required json extension This avoids warnings in code inspection tools (e.g. PHPStorm). Issue 0026974 |
Affected Issues 0026974 |
|
mod - composer.json | Diff File | ||
MantisBT: master 8e068784 2020-05-21 02:49 Details Diff |
Add missing required PHP extensions to documentation Issue 0026974 |
Affected Issues 0026974 |
|
mod - docbook/Admin_Guide/en-US/Installation.xml | Diff File | ||
MantisBT: master 8d8d40e0 2020-05-21 02:40 Details Diff |
Check for PHP json extension in admin checks Fixes 0026974 |
Affected Issues 0026974 |
|
mod - admin/check/check_php_inc.php | Diff File | ||
MantisBT: master ef6160ff 2020-05-18 12:33 Details Diff |
Remove get_magic_quotes_* checks Our minimum supported PHP version is 5.5.0. Starting from PHP 5.4.0, get_magic_quotes_runtime and get_magic_quotes_gpc always return FALSE, as the magic quotes feature was removed from PHP. So the check is no longer needed. Starting from 7.4.0 the functions have been deprecated. Fixes 0026964 |
Affected Issues 0026964 |
|
mod - admin/check/check_php_inc.php | Diff File | ||
MantisBT: master 9e6667c3 2020-05-18 06:07 translatewiki.net Details Diff |
Localisation updates from https://translatewiki.net. | ||
mod - lang/strings_japanese.txt | Diff File | ||
mod - lang/strings_persian.txt | Diff File | ||
mod - lang/strings_spanish.txt | Diff File | ||
Tools: master 3112e131 2020-05-17 01:52 Details Diff |
Do not abort if a plugin can't be updated An error while executing the git command subprocess caused the whole script to stop. Taking advantage of new python3 subprocess.run() features, we catch the exception and log the error, allowing the whole process to complete. |
||
mod - get_all_repos.py | Diff File |