| 1 |
pva 08/10/24 08:56:15 |
| 2 |
|
| 3 |
Added: mantisbt-1.1.4-r5687:5688.patch |
| 4 |
Removed: mantis-1.1.4-r5702.patch |
| 5 |
Log: |
| 6 |
Further fixes from upstream, reset password should work now, bug #243360, thank Marek Królikowski for report. |
| 7 |
(Portage version: 2.2_rc12/cvs/Linux 2.6.26-openvz.git-777e816 i686) |
| 8 |
|
| 9 |
Revision Changes Path |
| 10 |
1.1 www-apps/mantisbt/files/mantisbt-1.1.4-r5687:5688.patch |
| 11 |
|
| 12 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-apps/mantisbt/files/mantisbt-1.1.4-r5687:5688.patch?rev=1.1&view=markup |
| 13 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-apps/mantisbt/files/mantisbt-1.1.4-r5687:5688.patch?rev=1.1&content-type=text/plain |
| 14 |
|
| 15 |
Index: mantisbt-1.1.4-r5687:5688.patch |
| 16 |
=================================================================== |
| 17 |
Index: lang/strings_english.txt |
| 18 |
=================================================================== |
| 19 |
--- lang/strings_english.txt (revision 5688) |
| 20 |
+++ lang/strings_english.txt (revision 5719) |
| 21 |
@@ -298,9 +298,11 @@ |
| 22 |
$MANTIS_ERROR[ERROR_TAG_ALREADY_ATTACHED] = 'That tag already attached to that bug.'; |
| 23 |
$MANTIS_ERROR[ERROR_TOKEN_NOT_FOUND] = 'Token could not be found.'; |
| 24 |
$MANTIS_ERROR[ERROR_SESSION_HANDLER_INVALID] = 'Invalid session handler.'; |
| 25 |
-$MANTIS_ERROR[ERROR_SESSION_VAR_NOT_FOUND] = 'Session variable \'%s\' not found.'; |
| 26 |
+$MANTIS_ERROR[ERROR_SESSION_VAR_NOT_FOUND] = 'Session variable "%s" not found.'; |
| 27 |
+$MANTIS_ERROR[ERROR_SESSION_NOT_VALID] = 'Your session has become invalidated.'; |
| 28 |
$MANTIS_ERROR[ERROR_FORM_TOKEN_INVALID] = 'Invalid form security token. Did you submit the form twice by accident?'; |
| 29 |
$MANTIS_ERROR[ERROR_INVALID_REQUEST_METHOD] = 'This page cannot be accessed using this method.'; |
| 30 |
+$MANTIS_ERROR[ERROR_INVALID_SORT_FIELD] = 'Invalid sort field.'; |
| 31 |
|
| 32 |
$s_login_error = 'Your account may be disabled or blocked or the username/password you entered is incorrect.'; |
| 33 |
$s_login_cookies_disabled = 'Your browser either doesn\'t know how to handle cookies, or refuses to handle them.'; |
| 34 |
Index: account_page.php |
| 35 |
=================================================================== |
| 36 |
--- account_page.php (revision 5688) |
| 37 |
+++ account_page.php (revision 5719) |
| 38 |
@@ -94,6 +94,9 @@ |
| 39 |
<div align="center"> |
| 40 |
<form method="post" action="account_update.php"> |
| 41 |
<?php echo form_security_field( 'account_update' )?> |
| 42 |
+<?php if ( isset( $g_session_pass_id ) ) { ?> |
| 43 |
+<input type="hidden" name="session_id" value="<?php echo session_id() ?>"/> |
| 44 |
+<?php } ?> |
| 45 |
<table class="width75" cellspacing="1"> |
| 46 |
|
| 47 |
<!-- Headings --> |
| 48 |
Index: core/utility_api.php |
| 49 |
=================================================================== |
| 50 |
--- core/utility_api.php (revision 5688) |
| 51 |
+++ core/utility_api.php (revision 5719) |
| 52 |
@@ -192,10 +192,20 @@ |
| 53 |
$t_factor = 1; |
| 54 |
} |
| 55 |
|
| 56 |
+ if( empty( $p_array ) ) { |
| 57 |
+ return $p_array; |
| 58 |
+ } |
| 59 |
+ if( !is_array( current($p_array ) ) ) { |
| 60 |
+ error_parameters( 'tried to multisort an invalid multi-dimensional array' ); |
| 61 |
+ trigger_error(ERROR_GENERIC, ERROR); |
| 62 |
+ } |
| 63 |
+ |
| 64 |
// Security measure: see http://www.mantisbt.org/bugs/view.php?id=9704 for details |
| 65 |
- if ( array_key_exists( $p_key, $p_array ) ) { |
| 66 |
- $t_function = create_function( '$a, $b', "return $t_factor * strnatcasecmp( \$a['$p_key'], \$b['$p_key'] );" ); |
| 67 |
+ if( array_key_exists( $p_key, current($p_array) ) ) { |
| 68 |
+ $t_function = create_function( '$a, $b', "return $t_factor * strnatcasecmp( \$a['" . $p_key . "'], \$b['" . $p_key . "'] );" ); |
| 69 |
uasort( $p_array, $t_function ); |
| 70 |
+ } else { |
| 71 |
+ trigger_error(ERROR_INVALID_SORT_FIELD, ERROR); |
| 72 |
} |
| 73 |
return $p_array; |
| 74 |
} |
| 75 |
Index: core/session_api.php |
| 76 |
=================================================================== |
| 77 |
--- core/session_api.php (revision 5688) |
| 78 |
+++ core/session_api.php (revision 5719) |
| 79 |
@@ -48,7 +48,7 @@ |
| 80 |
* to PHP's session.* settings in 'php.ini'. |
| 81 |
*/ |
| 82 |
class MantisPHPSession extends MantisSession { |
| 83 |
- function __construct() { |
| 84 |
+ function __construct( $p_session_id=null ) { |
| 85 |
$t_session_save_path = config_get_global( 'session_save_path' ); |
| 86 |
if ( $t_session_save_path ) { |
| 87 |
session_save_path( $t_session_save_path ); |
| 88 |
@@ -60,6 +60,11 @@ |
| 89 |
} else { |
| 90 |
session_set_cookie_params( 0, config_get( 'cookie_path' ), config_get( 'cookie_domain' ), false ); |
| 91 |
} |
| 92 |
+ |
| 93 |
+ if ( !is_null( $p_session_id ) ) { |
| 94 |
+ session_id( $p_session_id ); |
| 95 |
+ } |
| 96 |
+ |
| 97 |
session_start(); |
| 98 |
$this->id = session_id(); |
| 99 |
} |
| 100 |
@@ -102,13 +107,14 @@ |
| 101 |
|
| 102 |
/** |
| 103 |
* Initialize the appropriate session handler. |
| 104 |
+ * @param string Session ID |
| 105 |
*/ |
| 106 |
-function session_init() { |
| 107 |
+function session_init( $p_session_id=null ) { |
| 108 |
global $g_session, $g_session_handler; |
| 109 |
|
| 110 |
switch( strtolower( $g_session_handler ) ) { |
| 111 |
case 'php': |
| 112 |
- $g_session = new MantisPHPSession(); |
| 113 |
+ $g_session = new MantisPHPSession( $p_session_id ); |
| 114 |
break; |
| 115 |
|
| 116 |
case 'adodb': |
| 117 |
@@ -119,9 +125,42 @@ |
| 118 |
trigger_error( ERROR_SESSION_HANDLER_INVALID, ERROR ); |
| 119 |
break; |
| 120 |
} |
| 121 |
+ |
| 122 |
+ session_validate( $g_session ); |
| 123 |
} |
| 124 |
|
| 125 |
/** |
| 126 |
+ * Validate the legitimacy of a session. |
| 127 |
+ * Checks may include last-known IP address, or more. |
| 128 |
+ * Triggers an error when the session is invalid. |
| 129 |
+ * @param object Session object |
| 130 |
+ */ |
| 131 |
+function session_validate( $p_session ) { |
| 132 |
+ $t_user_ip = ''; |
| 133 |
+ if ( isset( $_SERVER['REMOTE_ADDR'] ) ) { |
| 134 |
+ $t_user_ip = trim( $_SERVER['REMOTE_ADDR'] ); |
| 135 |
+ } |
| 136 |
+ |
| 137 |
+ if ( is_null( $t_last_ip = $p_session->get( 'last_ip', null ) ) ) { |
| 138 |
+ # First session usage |
| 139 |
+ $p_session->set( 'last_ip', $t_user_ip ); |
| 140 |
+ |
| 141 |
+ } else { |
| 142 |
+ # Check a continued session request |
| 143 |
+ if ( $t_user_ip != $t_last_ip ) { |
| 144 |
+ session_clean(); |
| 145 |
+ |
| 146 |
+ trigger_error( ERROR_SESSION_NOT_VALID, WARNING ); |
| 147 |
+ |
| 148 |
+ $t_url = config_get_global( 'path' ) . config_get_global( 'default_home_page' ); |
| 149 |
+ echo "\t<meta http-equiv=\"Refresh\" content=\"4;URL=$t_url\" />\n"; |
| 150 |
+ |
| 151 |
+ die(); |
| 152 |
+ } |
| 153 |
+ } |
| 154 |
+} |
| 155 |
+ |
| 156 |
+/** |
| 157 |
* Get arbitrary data from the session. |
| 158 |
* @param string Session variable name |
| 159 |
* @param mixed Default value |
| 160 |
@@ -190,4 +229,11 @@ |
| 161 |
|
| 162 |
|
| 163 |
##### Initialize the session |
| 164 |
-session_init(); |
| 165 |
+$t_session_id = gpc_get_string( 'session_id', '' ); |
| 166 |
+ |
| 167 |
+if ( empty( $t_session_id ) ) { |
| 168 |
+ session_init(); |
| 169 |
+} else { |
| 170 |
+ session_init( $t_session_id ); |
| 171 |
+} |
| 172 |
+ |
| 173 |
Index: core/constant_inc.php |
| 174 |
=================================================================== |
| 175 |
--- core/constant_inc.php (revision 5688) |
| 176 |
+++ core/constant_inc.php (revision 5719) |
| 177 |
@@ -195,6 +195,7 @@ |
| 178 |
define( 'ERROR_HANDLER_ACCESS_TOO_LOW', 17 ); |
| 179 |
define( 'ERROR_PAGE_REDIRECTION', 18 ); |
| 180 |
define( 'ERROR_INVALID_REQUEST_METHOD', 19 ); |
| 181 |
+ define( 'ERROR_INVALID_SORT_FIELD', 20 ); |
| 182 |
|
| 183 |
# ERROR_CONFIG_* |
| 184 |
define( 'ERROR_CONFIG_OPT_NOT_FOUND', 100 ); |
| 185 |
@@ -326,6 +327,7 @@ |
| 186 |
# ERROR_SESSION_* |
| 187 |
define ( 'ERROR_SESSION_HANDLER_INVALID', 2700); |
| 188 |
define ( 'ERROR_SESSION_VAR_NOT_FOUND', 2701); |
| 189 |
+ define ( 'ERROR_SESSION_NOT_VALID', 2702); |
| 190 |
|
| 191 |
# ERROR_FORM_* |
| 192 |
define ( 'ERROR_FORM_TOKEN_INVALID', 2800 ); |
| 193 |
@@ -422,4 +424,3 @@ |
| 194 |
define( 'SPONSORSHIP_REQUESTED', 1 ); |
| 195 |
define( 'SPONSORSHIP_PAID', 2 ); |
| 196 |
|
| 197 |
-?> |
| 198 |
Index: verify.php |
| 199 |
=================================================================== |
| 200 |
--- verify.php (revision 5688) |
| 201 |
+++ verify.php (revision 5719) |
| 202 |
@@ -40,6 +40,11 @@ |
| 203 |
# force logout on the current user if already authenticated |
| 204 |
if( auth_is_user_authenticated() ) { |
| 205 |
auth_logout(); |
| 206 |
+ |
| 207 |
+ # (Re)initialize session |
| 208 |
+ session_regenerate_id(); |
| 209 |
+ session_init(); |
| 210 |
+ $g_session_pass_id = ON; |
| 211 |
} |
| 212 |
|
| 213 |
$t_calculated_confirm_hash = auth_generate_confirm_hash( $f_user_id ); |
| 214 |
@@ -49,7 +54,6 @@ |
| 215 |
} |
| 216 |
|
| 217 |
# set a temporary cookie so the login information is passed between pages. |
| 218 |
- auth_logout(); |
| 219 |
auth_set_cookies( $f_user_id, false ); |
| 220 |
|
| 221 |
user_reset_failed_login_count_to_zero( $f_user_id ); |
| 222 |
@@ -61,4 +65,4 @@ |
| 223 |
user_increment_failed_login_count( $f_user_id ); |
| 224 |
|
| 225 |
include ( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'account_page.php' ); |
| 226 |
-?> |
| 227 |
+ |
| 228 |
Index: core.php |
| 229 |
=================================================================== |
| 230 |
--- core.php (revision 5688) |
| 231 |
+++ core.php (revision 5719) |
| 232 |
@@ -145,7 +145,7 @@ |
| 233 |
require_once( $t_core_path.'database_api.php' ); |
| 234 |
|
| 235 |
# Basic browser detection |
| 236 |
- $t_user_agent = $_SERVER['HTTP_USER_AGENT']; |
| 237 |
+ $t_user_agent = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : 'none'; |
| 238 |
|
| 239 |
$t_browser_name = 'Normal'; |
| 240 |
if ( strpos( $t_user_agent, 'MSIE' ) ) { |
Archives