| *** kirillka <kirillka!~Miranda@195.242.142.17> has joined #mantisbt | 00:58 | |
| *** Kunda <Kunda!~sphenoid@cpe-68-201-94-52.stx.res.rr.com> has quit IRC | 01:23 | |
| *** giallu__ <giallu__!~giallu@adsl-ull-231-36.40-151.net24.it> has joined #mantisbt | 03:03 | |
| *** giallu_ <giallu_!~giallu@fedora/giallu> has joined #mantisbt | 03:53 | |
| *** giallu_ is now known as giallyu | 03:55 | |
| *** giallyu is now known as giallu | 03:55 | |
| *** giallu__ <giallu__!~giallu@adsl-ull-231-36.40-151.net24.it> has quit IRC | 03:55 | |
| *** giallu_ <giallu_!~giallu@fedora/giallu> has joined #mantisbt | 04:39 | |
| *** giallu <giallu!~giallu@fedora/giallu> has quit IRC | 04:39 | |
| *** mantisbot <mantisbot!~supybot@fluffy.mantisbt.org> has joined #mantisbt | 05:13 | |
| *** giallu_ <giallu_!~giallu@fedora/giallu> has quit IRC | 07:38 | |
| *** lazar2606 <lazar2606!5345a6eb@gateway/web/freenode/ip.83.69.166.235> has joined #mantisbt | 08:25 | |
| *** lazar2606 <lazar2606!5345a6eb@gateway/web/freenode/ip.83.69.166.235> has quit IRC | 08:27 | |
| *** tururu <tururu!5345a6eb@gateway/web/freenode/ip.83.69.166.235> has joined #mantisbt | 08:40 | |
| *** tururu <tururu!5345a6eb@gateway/web/freenode/ip.83.69.166.235> has left #mantisbt | 08:40 | |
| *** lazar2606 <lazar2606!5345a6eb@gateway/web/freenode/ip.83.69.166.235> has joined #mantisbt | 08:49 | |
| paulr | mutes: moo | 10:55 |
|---|---|---|
| paulr | muts * | 10:55 |
| muts | hey paulr, how goes? | 10:55 |
| paulr | not too bad | 10:55 |
| paulr | you disabled the profile bit on your tracker right? | 10:55 |
| muts | yes, i found the config parameters for it and disabled it. | 10:56 |
| paulr | can you reenable it for 5 minutes? | 10:56 |
| muts | sure, let me do that now and ping you here. | 10:56 |
| muts | done. | 10:57 |
| paulr | <option value=""></option><option value="79">"><img src=x onerror=prompt(1);> "><img src=x onerror=prompt(1);> "><img src=x one</option><option value="3"> | 10:59 |
| paulr | ok, so that looks ok... | 10:59 |
| muts | it looks like the actual xss is triggered when you open up the "OS options" just before you submit the bug. | 10:59 |
| paulr | ahh, I see now | 11:00 |
| paulr | it does a xmlhttprequest | 11:00 |
| paulr | and returns <ul><li>"><img src=x onerror=prompt(1);></li></ul> | 11:00 |
| paulr | so now why didn't that happen locally | 11:00 |
| paulr | you can change your config back if you want | 11:00 |
| *** lazar2606 <lazar2606!5345a6eb@gateway/web/freenode/ip.83.69.166.235> has quit IRC | 11:01 | |
| paulr | https://github.com/mantisbt/mantisbt/commit/b77ea9cd2333f1549eea03f020da574747a2a855 | 11:03 |
| muts | thanks | 11:03 |
| paulr | well | 11:03 |
| paulr | hang on | 11:03 |
| paulr | OK so in 2010 | 11:04 |
| paulr | we replace 'projax' with using jquery | 11:04 |
| paulr | and as part of that rework, we return the string json_encoded (But not escaped) | 11:04 |
| paulr | and preasumably jquery itself or something we've also changed at some point is then escaping the string before displaying in browser | 11:05 |
| paulr | so yet again, this basically comes back to the fact there's a lot of improvements in master and we've never done a release | 11:06 |
| paulr | right, added 2 bugnotes to the issue that for everyone else | 11:10 |
| paulr | one with a potential fix, but I'll leave someone else to validate that ;p | 11:10 |
| muts | when's the next release? | 11:13 |
| muts | and why the wait ? | 11:13 |
| paulr | that's probably more politics then anything else | 11:26 |
| *** Kunda <Kunda!~sphenoid@214.sub-70-195-202.myvzw.com> has joined #mantisbt | 11:28 | |
| muts | well, i for one am eagerly waiting for the next release. | 11:39 |
| muts | and applaud you guys for responding so quickly | 11:40 |
| paulr | we seem to have issues "shipping" code to end users | 11:41 |
| paulr | as opposed to writing code | 11:41 |
| *** Protogenes <Protogenes!~Protogene@dslb-188-106-220-078.188.106.pools.vodafone-ip.de> has quit IRC | 11:41 | |
| muts | our bug bounty programs brings out the bugs from the woodwork in various projects, and few if any respond s quick as you do. | 11:41 |
| paulr | sure, but fixing it in git / identifying the issue and getting end users running it are two different things :) | 11:43 |
| paulr | we pretty good at the first bit! | 11:44 |
| *** Protogenes <Protogenes!~Protogene@dslb-188-106-220-078.188.106.pools.vodafone-ip.de> has joined #mantisbt | 11:48 | |
| *** Protogenes <Protogenes!~Protogene@dslb-188-106-220-078.188.106.pools.vodafone-ip.de> has quit IRC | 11:53 | |
| *** Protogenes <Protogenes!~Protogene@dslb-188-106-220-078.188.106.pools.vodafone-ip.de> has joined #mantisbt | 11:55 | |
| *** Protogenes <Protogenes!~Protogene@dslb-188-106-220-078.188.106.pools.vodafone-ip.de> has quit IRC | 12:09 | |
| *** Kunda <Kunda!~sphenoid@214.sub-70-195-202.myvzw.com> has quit IRC | 12:16 | |
| *** Kunda <Kunda!~sphenoid@249.sub-70-195-198.myvzw.com> has joined #mantisbt | 12:25 | |
| *** Kunda <Kunda!~sphenoid@249.sub-70-195-198.myvzw.com> has quit IRC | 12:46 | |
| *** Protogenes <Protogenes!~Protogene@dslb-188-106-220-078.188.106.pools.vodafone-ip.de> has joined #mantisbt | 13:03 | |
| *** Kunda <Kunda!~sphenoid@172-11-122-212.lightspeed.austtx.sbcglobal.net> has joined #mantisbt | 14:07 | |
| *** Kunda <Kunda!~sphenoid@172-11-122-212.lightspeed.austtx.sbcglobal.net> has joined #mantisbt | 14:22 | |
| *** Protogenes <Protogenes!~Protogene@dslb-188-106-220-078.188.106.pools.vodafone-ip.de> has joined #mantisbt | 15:21 | |
| *** Protogenes <Protogenes!~Protogene@dslb-188-106-220-078.188.106.pools.vodafone-ip.de> has quit IRC | 15:31 | |
| *** kirillka <kirillka!~Miranda@195.242.142.17> has quit IRC | 15:47 | |
| *** tururu <tururu!5d51ef71@gateway/web/freenode/ip.93.81.239.113> has joined #mantisbt | 15:57 | |
| *** Kunda <Kunda!~sphenoid@172-11-122-212.lightspeed.austtx.sbcglobal.net> has quit IRC | 17:16 | |
| *** Kunda <Kunda!~sphenoid@172-11-122-212.lightspeed.austtx.sbcglobal.net> has joined #mantisbt | 17:22 | |
| *** Ragnor <Ragnor!~Ragnor@dslb-146-060-077-079.146.060.pools.vodafone-ip.de> has quit IRC | 17:35 | |
| *** Kunda <Kunda!~sphenoid@172-11-122-212.lightspeed.austtx.sbcglobal.net> has quit IRC | 18:37 | |
| *** Kunda <Kunda!~sphenoid@172-11-122-212.lightspeed.austtx.sbcglobal.net> has joined #mantisbt | 18:41 | |
| *** Kunda <Kunda!~sphenoid@172-11-122-212.lightspeed.austtx.sbcglobal.net> has quit IRC | 20:15 | |
| *** Kunda <Kunda!~sphenoid@172-11-122-212.lightspeed.austtx.sbcglobal.net> has joined #mantisbt | 20:17 | |
| *** Kunda <Kunda!~sphenoid@172-11-122-212.lightspeed.austtx.sbcglobal.net> has quit IRC | 21:13 | |
| *** Kunda <Kunda!~sphenoid@172-11-122-212.lightspeed.austtx.sbcglobal.net> has joined #mantisbt | 21:54 | |
| *** Kunda <Kunda!~sphenoid@172-11-122-212.lightspeed.austtx.sbcglobal.net> has quit IRC | 22:09 | |
| *** Kunda <Kunda!~sphenoid@172-11-122-212.lightspeed.austtx.sbcglobal.net> has joined #mantisbt | 22:44 | |
| *** Kunda <Kunda!~sphenoid@172-11-122-212.lightspeed.austtx.sbcglobal.net> has quit IRC | 22:48 | |
| *** suntouch123 <suntouch123!7286ba3b@gateway/web/freenode/ip.114.134.186.59> has joined #mantisbt | 22:53 | |
| suntouch123 | 0 | 22:54 |
| *** suntouch123 <suntouch123!7286ba3b@gateway/web/freenode/ip.114.134.186.59> has quit IRC | 22:54 | |
| *** Kunda <Kunda!~sphenoid@cpe-68-201-94-52.stx.res.rr.com> has joined #mantisbt | 23:59 | |
Generated by irclog2html.py 2.13.0 by Marius Gedminas - find it at mg.pov.lt!