1 |
pva 08/10/24 08:56:15 |
2 |
|
3 |
Added: mantisbt-1.1.4-r5687:5688.patch |
4 |
Removed: mantis-1.1.4-r5702.patch |
5 |
Log: |
6 |
Further fixes from upstream, reset password should work now, bug #243360, thank Marek Królikowski for report. |
7 |
(Portage version: 2.2_rc12/cvs/Linux 2.6.26-openvz.git-777e816 i686) |
8 |
|
9 |
Revision Changes Path |
10 |
1.1 www-apps/mantisbt/files/mantisbt-1.1.4-r5687:5688.patch |
11 |
|
12 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-apps/mantisbt/files/mantisbt-1.1.4-r5687:5688.patch?rev=1.1&view=markup |
13 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-apps/mantisbt/files/mantisbt-1.1.4-r5687:5688.patch?rev=1.1&content-type=text/plain |
14 |
|
15 |
Index: mantisbt-1.1.4-r5687:5688.patch |
16 |
=================================================================== |
17 |
Index: lang/strings_english.txt |
18 |
=================================================================== |
19 |
--- lang/strings_english.txt (revision 5688) |
20 |
+++ lang/strings_english.txt (revision 5719) |
21 |
@@ -298,9 +298,11 @@ |
22 |
$MANTIS_ERROR[ERROR_TAG_ALREADY_ATTACHED] = 'That tag already attached to that bug.'; |
23 |
$MANTIS_ERROR[ERROR_TOKEN_NOT_FOUND] = 'Token could not be found.'; |
24 |
$MANTIS_ERROR[ERROR_SESSION_HANDLER_INVALID] = 'Invalid session handler.'; |
25 |
-$MANTIS_ERROR[ERROR_SESSION_VAR_NOT_FOUND] = 'Session variable \'%s\' not found.'; |
26 |
+$MANTIS_ERROR[ERROR_SESSION_VAR_NOT_FOUND] = 'Session variable "%s" not found.'; |
27 |
+$MANTIS_ERROR[ERROR_SESSION_NOT_VALID] = 'Your session has become invalidated.'; |
28 |
$MANTIS_ERROR[ERROR_FORM_TOKEN_INVALID] = 'Invalid form security token. Did you submit the form twice by accident?'; |
29 |
$MANTIS_ERROR[ERROR_INVALID_REQUEST_METHOD] = 'This page cannot be accessed using this method.'; |
30 |
+$MANTIS_ERROR[ERROR_INVALID_SORT_FIELD] = 'Invalid sort field.'; |
31 |
|
32 |
$s_login_error = 'Your account may be disabled or blocked or the username/password you entered is incorrect.'; |
33 |
$s_login_cookies_disabled = 'Your browser either doesn\'t know how to handle cookies, or refuses to handle them.'; |
34 |
Index: account_page.php |
35 |
=================================================================== |
36 |
--- account_page.php (revision 5688) |
37 |
+++ account_page.php (revision 5719) |
38 |
@@ -94,6 +94,9 @@ |
39 |
<div align="center"> |
40 |
<form method="post" action="account_update.php"> |
41 |
<?php echo form_security_field( 'account_update' )?> |
42 |
+<?php if ( isset( $g_session_pass_id ) ) { ?> |
43 |
+<input type="hidden" name="session_id" value="<?php echo session_id() ?>"/> |
44 |
+<?php } ?> |
45 |
<table class="width75" cellspacing="1"> |
46 |
|
47 |
<!-- Headings --> |
48 |
Index: core/utility_api.php |
49 |
=================================================================== |
50 |
--- core/utility_api.php (revision 5688) |
51 |
+++ core/utility_api.php (revision 5719) |
52 |
@@ -192,10 +192,20 @@ |
53 |
$t_factor = 1; |
54 |
} |
55 |
|
56 |
+ if( empty( $p_array ) ) { |
57 |
+ return $p_array; |
58 |
+ } |
59 |
+ if( !is_array( current($p_array ) ) ) { |
60 |
+ error_parameters( 'tried to multisort an invalid multi-dimensional array' ); |
61 |
+ trigger_error(ERROR_GENERIC, ERROR); |
62 |
+ } |
63 |
+ |
64 |
// Security measure: see http://www.mantisbt.org/bugs/view.php?id=9704 for details |
65 |
- if ( array_key_exists( $p_key, $p_array ) ) { |
66 |
- $t_function = create_function( '$a, $b', "return $t_factor * strnatcasecmp( \$a['$p_key'], \$b['$p_key'] );" ); |
67 |
+ if( array_key_exists( $p_key, current($p_array) ) ) { |
68 |
+ $t_function = create_function( '$a, $b', "return $t_factor * strnatcasecmp( \$a['" . $p_key . "'], \$b['" . $p_key . "'] );" ); |
69 |
uasort( $p_array, $t_function ); |
70 |
+ } else { |
71 |
+ trigger_error(ERROR_INVALID_SORT_FIELD, ERROR); |
72 |
} |
73 |
return $p_array; |
74 |
} |
75 |
Index: core/session_api.php |
76 |
=================================================================== |
77 |
--- core/session_api.php (revision 5688) |
78 |
+++ core/session_api.php (revision 5719) |
79 |
@@ -48,7 +48,7 @@ |
80 |
* to PHP's session.* settings in 'php.ini'. |
81 |
*/ |
82 |
class MantisPHPSession extends MantisSession { |
83 |
- function __construct() { |
84 |
+ function __construct( $p_session_id=null ) { |
85 |
$t_session_save_path = config_get_global( 'session_save_path' ); |
86 |
if ( $t_session_save_path ) { |
87 |
session_save_path( $t_session_save_path ); |
88 |
@@ -60,6 +60,11 @@ |
89 |
} else { |
90 |
session_set_cookie_params( 0, config_get( 'cookie_path' ), config_get( 'cookie_domain' ), false ); |
91 |
} |
92 |
+ |
93 |
+ if ( !is_null( $p_session_id ) ) { |
94 |
+ session_id( $p_session_id ); |
95 |
+ } |
96 |
+ |
97 |
session_start(); |
98 |
$this->id = session_id(); |
99 |
} |
100 |
@@ -102,13 +107,14 @@ |
101 |
|
102 |
/** |
103 |
* Initialize the appropriate session handler. |
104 |
+ * @param string Session ID |
105 |
*/ |
106 |
-function session_init() { |
107 |
+function session_init( $p_session_id=null ) { |
108 |
global $g_session, $g_session_handler; |
109 |
|
110 |
switch( strtolower( $g_session_handler ) ) { |
111 |
case 'php': |
112 |
- $g_session = new MantisPHPSession(); |
113 |
+ $g_session = new MantisPHPSession( $p_session_id ); |
114 |
break; |
115 |
|
116 |
case 'adodb': |
117 |
@@ -119,9 +125,42 @@ |
118 |
trigger_error( ERROR_SESSION_HANDLER_INVALID, ERROR ); |
119 |
break; |
120 |
} |
121 |
+ |
122 |
+ session_validate( $g_session ); |
123 |
} |
124 |
|
125 |
/** |
126 |
+ * Validate the legitimacy of a session. |
127 |
+ * Checks may include last-known IP address, or more. |
128 |
+ * Triggers an error when the session is invalid. |
129 |
+ * @param object Session object |
130 |
+ */ |
131 |
+function session_validate( $p_session ) { |
132 |
+ $t_user_ip = ''; |
133 |
+ if ( isset( $_SERVER['REMOTE_ADDR'] ) ) { |
134 |
+ $t_user_ip = trim( $_SERVER['REMOTE_ADDR'] ); |
135 |
+ } |
136 |
+ |
137 |
+ if ( is_null( $t_last_ip = $p_session->get( 'last_ip', null ) ) ) { |
138 |
+ # First session usage |
139 |
+ $p_session->set( 'last_ip', $t_user_ip ); |
140 |
+ |
141 |
+ } else { |
142 |
+ # Check a continued session request |
143 |
+ if ( $t_user_ip != $t_last_ip ) { |
144 |
+ session_clean(); |
145 |
+ |
146 |
+ trigger_error( ERROR_SESSION_NOT_VALID, WARNING ); |
147 |
+ |
148 |
+ $t_url = config_get_global( 'path' ) . config_get_global( 'default_home_page' ); |
149 |
+ echo "\t<meta http-equiv=\"Refresh\" content=\"4;URL=$t_url\" />\n"; |
150 |
+ |
151 |
+ die(); |
152 |
+ } |
153 |
+ } |
154 |
+} |
155 |
+ |
156 |
+/** |
157 |
* Get arbitrary data from the session. |
158 |
* @param string Session variable name |
159 |
* @param mixed Default value |
160 |
@@ -190,4 +229,11 @@ |
161 |
|
162 |
|
163 |
##### Initialize the session |
164 |
-session_init(); |
165 |
+$t_session_id = gpc_get_string( 'session_id', '' ); |
166 |
+ |
167 |
+if ( empty( $t_session_id ) ) { |
168 |
+ session_init(); |
169 |
+} else { |
170 |
+ session_init( $t_session_id ); |
171 |
+} |
172 |
+ |
173 |
Index: core/constant_inc.php |
174 |
=================================================================== |
175 |
--- core/constant_inc.php (revision 5688) |
176 |
+++ core/constant_inc.php (revision 5719) |
177 |
@@ -195,6 +195,7 @@ |
178 |
define( 'ERROR_HANDLER_ACCESS_TOO_LOW', 17 ); |
179 |
define( 'ERROR_PAGE_REDIRECTION', 18 ); |
180 |
define( 'ERROR_INVALID_REQUEST_METHOD', 19 ); |
181 |
+ define( 'ERROR_INVALID_SORT_FIELD', 20 ); |
182 |
|
183 |
# ERROR_CONFIG_* |
184 |
define( 'ERROR_CONFIG_OPT_NOT_FOUND', 100 ); |
185 |
@@ -326,6 +327,7 @@ |
186 |
# ERROR_SESSION_* |
187 |
define ( 'ERROR_SESSION_HANDLER_INVALID', 2700); |
188 |
define ( 'ERROR_SESSION_VAR_NOT_FOUND', 2701); |
189 |
+ define ( 'ERROR_SESSION_NOT_VALID', 2702); |
190 |
|
191 |
# ERROR_FORM_* |
192 |
define ( 'ERROR_FORM_TOKEN_INVALID', 2800 ); |
193 |
@@ -422,4 +424,3 @@ |
194 |
define( 'SPONSORSHIP_REQUESTED', 1 ); |
195 |
define( 'SPONSORSHIP_PAID', 2 ); |
196 |
|
197 |
-?> |
198 |
Index: verify.php |
199 |
=================================================================== |
200 |
--- verify.php (revision 5688) |
201 |
+++ verify.php (revision 5719) |
202 |
@@ -40,6 +40,11 @@ |
203 |
# force logout on the current user if already authenticated |
204 |
if( auth_is_user_authenticated() ) { |
205 |
auth_logout(); |
206 |
+ |
207 |
+ # (Re)initialize session |
208 |
+ session_regenerate_id(); |
209 |
+ session_init(); |
210 |
+ $g_session_pass_id = ON; |
211 |
} |
212 |
|
213 |
$t_calculated_confirm_hash = auth_generate_confirm_hash( $f_user_id ); |
214 |
@@ -49,7 +54,6 @@ |
215 |
} |
216 |
|
217 |
# set a temporary cookie so the login information is passed between pages. |
218 |
- auth_logout(); |
219 |
auth_set_cookies( $f_user_id, false ); |
220 |
|
221 |
user_reset_failed_login_count_to_zero( $f_user_id ); |
222 |
@@ -61,4 +65,4 @@ |
223 |
user_increment_failed_login_count( $f_user_id ); |
224 |
|
225 |
include ( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'account_page.php' ); |
226 |
-?> |
227 |
+ |
228 |
Index: core.php |
229 |
=================================================================== |
230 |
--- core.php (revision 5688) |
231 |
+++ core.php (revision 5719) |
232 |
@@ -145,7 +145,7 @@ |
233 |
require_once( $t_core_path.'database_api.php' ); |
234 |
|
235 |
# Basic browser detection |
236 |
- $t_user_agent = $_SERVER['HTTP_USER_AGENT']; |
237 |
+ $t_user_agent = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : 'none'; |
238 |
|
239 |
$t_browser_name = 'Normal'; |
240 |
if ( strpos( $t_user_agent, 'MSIE' ) ) { |