1 |
pva 08/09/29 07:00:23 |
2 |
|
3 |
Added: mantisbt-1.1.2-svn-5369:5587.patch |
4 |
Removed: mantisbt-1.0.8-avoid-XS-type-in-schema.php.patch |
5 |
mantisbt-1.0.8-avoid-XSS-in-file_api.php.patch |
6 |
Log: |
7 |
Pushing fixes from svn, should fix security issue #238570, thank Robert Buchholz for report. Remove old. |
8 |
(Portage version: 2.2_rc11/cvs/Linux 2.6.26-gentoo-r1 i686) |
9 |
|
10 |
Revision Changes Path |
11 |
1.1 www-apps/mantisbt/files/mantisbt-1.1.2-svn-5369:5587.patch |
12 |
|
13 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-apps/mantisbt/files/mantisbt-1.1.2-svn-5369:5587.patch?rev=1.1&view=markup |
14 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-apps/mantisbt/files/mantisbt-1.1.2-svn-5369:5587.patch?rev=1.1&content-type=text/plain |
15 |
|
16 |
Index: mantisbt-1.1.2-svn-5369:5587.patch |
17 |
=================================================================== |
18 |
Index: doc/ChangeLog |
19 |
=================================================================== |
20 |
--- doc/ChangeLog (revision 5369) |
21 |
+++ doc/ChangeLog (revision 5587) |
22 |
@@ -2,6 +2,8 @@ |
23 |
|
24 |
2008.06.17 - 1.1.2 |
25 |
==================== |
26 |
+This release focused on fixing few security issues; also includes assorted fixes for translations, usability and compatibility (most notably, with postgres) and a nasty memory leak on the string API causing incomplete rendering of pages. All users are advised to upgrade. |
27 |
+ |
28 |
- 0008974: [security] XSS Vulnerability in filters (thraxisp) - closed. |
29 |
- 0008975: [security] CSRF Vulnerabilities in user_create (jreese) - closed. |
30 |
- 0008976: [security] Remote Code Execution in adm_config (giallu) - closed. |
31 |
Index: config_defaults_inc.php |
32 |
=================================================================== |
33 |
--- config_defaults_inc.php (revision 5369) |
34 |
+++ config_defaults_inc.php (revision 5587) |
35 |
@@ -149,6 +149,9 @@ |
36 |
# 'memcached' -> Memcached storage sessions |
37 |
$g_session_handler = 'php'; |
38 |
|
39 |
+ # Session save path. If false, uses default value as set by session handler. |
40 |
+ $g_session_save_path = false; |
41 |
+ |
42 |
############################# |
43 |
# Configuration Settings |
44 |
############################# |
45 |
@@ -1938,4 +1941,4 @@ |
46 |
|
47 |
# The twitter account password. |
48 |
$g_twitter_password = ''; |
49 |
-?> |
50 |
+ |
51 |
Index: bug_graph_bystatus.php |
52 |
=================================================================== |
53 |
--- bug_graph_bystatus.php (revision 5369) |
54 |
+++ bug_graph_bystatus.php (revision 5587) |
55 |
@@ -148,6 +148,8 @@ |
56 |
} |
57 |
|
58 |
ksort($t_view_status); |
59 |
+ $t_label_string = lang_get('orct'); //use the (open/resolved/closed/total) label |
60 |
+ $t_label_strings = explode('/', substr($t_label_string, 1, strlen($t_label_string)-2)); |
61 |
|
62 |
// add headers for table |
63 |
if ($f_show_as_table) { |
64 |
@@ -159,9 +161,9 @@ |
65 |
html_body_begin(); |
66 |
echo '<table class="width100"><tr><td></td>'; |
67 |
if ($f_summary) { |
68 |
- echo '<th>' . lang_get_defaulted('open') . '</th>'; |
69 |
- echo '<th>' . lang_get_defaulted('resolved') . '</th>'; |
70 |
- echo '<th>' . lang_get_defaulted('closed') . '</th>'; |
71 |
+ echo '<th>' . $t_label_strings[0] . '</th>'; |
72 |
+ echo '<th>' . $t_label_strings[1] . '</th>'; |
73 |
+ echo '<th>' . $t_label_strings[2] . '</th>'; |
74 |
} else { |
75 |
foreach ( $t_view_status as $t_status => $t_label ) { |
76 |
echo '<th>'.$t_label.' ('.$t_status.')</th>'; |
77 |
@@ -176,9 +178,9 @@ |
78 |
$t_labels = array(); |
79 |
$i = 0; |
80 |
if ($f_summary) { |
81 |
- $t_labels[++$i] = lang_get_defaulted('open'); |
82 |
- $t_labels[++$i] = lang_get_defaulted('resolved'); |
83 |
- $t_labels[++$i] = lang_get_defaulted('closed'); |
84 |
+ $t_labels[++$i] = $t_label_strings[0]; |
85 |
+ $t_labels[++$i] = $t_label_strings[1]; |
86 |
+ $t_labels[++$i] = $t_label_strings[2]; |
87 |
} else { |
88 |
foreach ( $t_view_status as $t_status => $t_label ) { |
89 |
$t_labels[++$i] = isset($t_status_labels[$t_status]) ? $t_status_labels[$t_status] : lang_get_defaulted($t_label); |
90 |
@@ -228,6 +230,6 @@ |
91 |
html_body_end(); |
92 |
html_end(); |
93 |
} else { |
94 |
- graph_bydate( $t_metrics, $t_labels, lang_get( 'by_category' ), $f_width, $f_width * $t_ar ); |
95 |
+ graph_bydate( $t_metrics, $t_labels, lang_get( 'by_status' ), $f_width, $f_width * $t_ar ); |
96 |
} |
97 |
?> |
98 |
\ No newline at end of file |
99 |
Index: manage_user_prune.php |
100 |
=================================================================== |
101 |
--- manage_user_prune.php (revision 5369) |
102 |
+++ manage_user_prune.php (revision 5587) |
103 |
@@ -1,4 +1,4 @@ |
104 |
-2<?php |
105 |
+<?php |
106 |
# Mantis - a php based bugtracking system |
107 |
|
108 |
# Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@×××××××.org |
109 |
Index: manage_proj_edit_page.php |
110 |
=================================================================== |
111 |
--- manage_proj_edit_page.php (revision 5369) |
112 |
+++ manage_proj_edit_page.php (revision 5587) |
113 |
@@ -527,7 +527,8 @@ |
114 |
<td class="center"> |
115 |
<?php |
116 |
# You need global permissions to edit custom field defs |
117 |
- print_button( "manage_proj_custom_field_remove.php?field_id={$t_field_id}&project_id={$f_project_id}", lang_get( 'remove_link' ) ); |
118 |
+ $t_remove_token = form_security_param( 'manage_proj_custom_field_remove' ); |
119 |
+ print_button( "manage_proj_custom_field_remove.php?field_id={$t_field_id}&project_id={$f_project_id}$t_remove_token", lang_get( 'remove_link' ) ); |
120 |
?> |
121 |
</td> |
122 |
</tr> |
123 |
Index: core/bug_api.php |
124 |
=================================================================== |
125 |
--- core/bug_api.php (revision 5369) |
126 |
+++ core/bug_api.php (revision 5587) |
127 |
@@ -1264,9 +1264,6 @@ |
128 |
# the relationship type is already set. Nothing to do |
129 |
} |
130 |
else if ( $t_id_relationship > 0 ) { |
131 |
- # there is already a relationship between them -> we have to update it and not to add a new one |
132 |
- helper_ensure_confirmed( lang_get( 'replace_relationship_sure_msg' ), lang_get( 'replace_relationship_button' ) ); |
133 |
- |
134 |
# Update the relationship |
135 |
relationship_update( $t_id_relationship, $p_bug_id, $p_duplicate_id, BUG_DUPLICATE ); |
136 |
|
137 |
Index: core/print_api.php |
138 |
=================================================================== |
139 |
--- core/print_api.php (revision 5369) |
140 |
+++ core/print_api.php (revision 5587) |
141 |
@@ -304,7 +304,7 @@ |
142 |
?> |
143 |
<input type="hidden" id="tag_separator" value="<?php echo config_get( 'tag_separator' ) ?>" /> |
144 |
<input type="text" name="tag_string" id="tag_string" size="40" value="<?php echo string_attribute( $p_string ) ?>" /> |
145 |
- <select <?php echo helper_get_tab_index() ?> name="tag_select" id="tag_select"> |
146 |
+ <select <?php echo helper_get_tab_index() ?> name="tag_select" id="tag_select" onchange="tag_string_append( this.options[ this.selectedIndex ].text );"> |
147 |
<?php print_tag_option_list( $p_bug_id ); ?> |
148 |
</select> |
149 |
<?php |
150 |
@@ -334,7 +334,7 @@ |
151 |
|
152 |
echo '<option value="0">',lang_get( 'tag_existing' ),'</option>'; |
153 |
while ( $row = db_fetch_array( $result ) ) { |
154 |
- echo '<option value="',$row['id'],'" onclick="tag_string_append(\'',$row['name'],'\')">',$row['name'],'</option>'; |
155 |
+ echo '<option value="',$row['id'],'">',$row['name'],'</option>'; |
156 |
} |
157 |
} |
158 |
|
159 |
Index: core/user_api.php |
160 |
=================================================================== |
161 |
--- core/user_api.php (revision 5369) |
162 |
+++ core/user_api.php (revision 5587) |
163 |
@@ -655,10 +655,22 @@ |
164 |
} else { |
165 |
$t_default_image = config_get( 'default_avatar' ); |
166 |
$t_size = 80; |
167 |
- $t_avatar_url = "http://www.gravatar.com/avatar.php?gravatar_id=" . md5( $t_email ) . |
168 |
- "&default=" . urlencode( $t_default_image ) . |
169 |
- "&size=" . $t_size . |
170 |
- "&rating=G"; |
171 |
+ |
172 |
+ $t_use_ssl = false; |
173 |
+ if ( isset( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) { |
174 |
+ $t_use_ssl = true; |
175 |
+ } |
176 |
+ |
177 |
+ if ( !$t_use_ssl ) { |
178 |
+ $t_gravatar_domain = 'http://www.gravatar.com/'; |
179 |
+ } else { |
180 |
+ $t_gravatar_domain = 'https://secure.gravatar.com/'; |
181 |
+ } |
182 |
+ |
183 |
+ $t_avatar_url = $t_gravatar_domain . 'avatar.php?gravatar_id=' . md5( $t_email ) . |
184 |
+ '&default=' . urlencode( $t_default_image ) . |
185 |
+ '&size=' . $t_size . |
186 |
+ '&rating=G'; |
187 |
$t_result = array( $t_avatar_url, $t_size, $t_size ); |
188 |
} |
189 |
|
190 |
Index: core/bugnote_api.php |
191 |
=================================================================== |
192 |
--- core/bugnote_api.php (revision 5369) |
193 |
+++ core/bugnote_api.php (revision 5587) |
194 |
@@ -99,7 +99,7 @@ |
195 |
# Add a bugnote to a bug |
196 |
# |
197 |
# return the ID of the new bugnote |
198 |
- function bugnote_add ( $p_bug_id, $p_bugnote_text, $p_time_tracking = '0:00', $p_private = false, $p_type = 0, $p_attr = '', $p_user_id = null ) { |
199 |
+ function bugnote_add ( $p_bug_id, $p_bugnote_text, $p_time_tracking = '0:00', $p_private = false, $p_type = 0, $p_attr = '', $p_user_id = null, $p_send_email = TRUE ) { |
200 |
$c_bug_id = db_prepare_int( $p_bug_id ); |
201 |
$c_bugnote_text = db_prepare_string( $p_bugnote_text ); |
202 |
$c_time_tracking = db_prepare_time( $p_time_tracking ); |
203 |
Index: core/session_api.php |
204 |
=================================================================== |
205 |
--- core/session_api.php (revision 5369) |
206 |
+++ core/session_api.php (revision 5587) |
207 |
@@ -49,6 +49,15 @@ |
208 |
*/ |
209 |
class MantisPHPSession extends MantisSession { |
210 |
function __construct() { |
211 |
+ $t_session_save_path = config_get_global( 'session_save_path' ); |
212 |
+ if ( $t_session_save_path ) { |
213 |
+ session_save_path( $t_session_save_path ); |
214 |
+ } |
215 |
+ |
216 |
+ session_cache_limiter( 'private_no_expire' ); |
217 |
+ if ( isset( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) { |
218 |
+ session_set_cookie_params( 0, config_get( 'cookie_path' ), config_get( 'cookie_domain' ), true, true ); |
219 |
+ } |
220 |
session_start(); |
221 |
$this->id = session_id(); |
222 |
} |
223 |
Index: core/string_api.php |
224 |
=================================================================== |
225 |
--- core/string_api.php (revision 5369) |
226 |
+++ core/string_api.php (revision 5587) |
227 |
@@ -306,7 +306,7 @@ |
228 |
if ( !isset( $string_process_bug_link_callback[$p_include_anchor][$p_detail_info][$p_fqdn] ) ) { |
229 |
if ($p_include_anchor) { |
230 |
$string_process_bug_link_callback[$p_include_anchor][$p_detail_info][$p_fqdn] = create_function('$p_array',' |
231 |
- if (bug_exists( (int)$p_array[2] ) ) { |
232 |
+ if ( bug_exists( (int)$p_array[2] ) && access_has_bug_level( VIEWER, (int)$p_array[2] ) ) { |
233 |
return $p_array[1] . string_get_bug_view_link( (int)$p_array[2], null, ' . ($p_detail_info ? 'true' : 'false') . ', ' . ($p_fqdn ? 'true' : 'false') . '); |
234 |
} else { |
235 |
return $p_array[0]; |
236 |
Index: bug_update.php |
237 |
=================================================================== |
238 |
--- bug_update.php (revision 5369) |
239 |
+++ bug_update.php (revision 5587) |
240 |
@@ -31,8 +31,6 @@ |
241 |
require_once( $t_core_path.'bugnote_api.php' ); |
242 |
require_once( $t_core_path.'custom_field_api.php' ); |
243 |
|
244 |
- form_security_validate( 'bug_update' ); |
245 |
- |
246 |
$f_bug_id = gpc_get_int( 'bug_id' ); |
247 |
$f_update_mode = gpc_get_bool( 'update_mode', FALSE ); # set if called from generic update page |
248 |
$f_new_status = gpc_get_int( 'status', bug_get_field( $f_bug_id, 'status' ) ); |
249 |
@@ -140,6 +138,8 @@ |
250 |
} |
251 |
} |
252 |
|
253 |
+ form_security_validate( 'bug_update' ); |
254 |
+ |
255 |
$t_notify = true; |
256 |
$t_bug_note_set = false; |
257 |
if ( ( $t_old_bug_status != $t_bug_data->status ) && ( FALSE == $f_update_mode ) ) { |
258 |
Index: manage_config_work_threshold_page.php |
259 |
=================================================================== |
260 |
--- manage_config_work_threshold_page.php (revision 5369) |
261 |
+++ manage_config_work_threshold_page.php (revision 5587) |
262 |
@@ -322,6 +322,7 @@ |
263 |
|
264 |
if ( $t_show_submit && ( 0 < count( $t_overrides ) ) ) { |
265 |
echo "<div class=\"right\"><form name=\"threshold_config_action\" method=\"post\" action=\"manage_config_revert.php\">\n"; |
266 |
+ echo form_security_field( 'manage_config_revert' ); |
267 |
echo "<input name=\"revert\" type=\"hidden\" value=\"" . implode( ',', $t_overrides ) . "\"></input>"; |
268 |
echo "<input name=\"project\" type=\"hidden\" value=\"$t_project_id\"></input>"; |
269 |
echo "<input name=\"return\" type=\"hidden\" value=\"" . $_SERVER['PHP_SELF'] ."\"></input>"; |
270 |
Index: adm_config_set.php |
271 |
=================================================================== |
272 |
--- adm_config_set.php (revision 5369) |
273 |
+++ adm_config_set.php (revision 5587) |
274 |
@@ -81,7 +81,7 @@ |
275 |
# 2. simple arrays with the form: array( a, b, c, d ) |
276 |
# 3. associative arrays with the form: array( a=>1, b=>2, c=>3, d=>4 ) |
277 |
$t_full_string = trim( $f_value ); |
278 |
- if ( preg_match('/array\((.*)\)/', $t_full_string, $t_match ) === 1 ) { |
279 |
+ if ( preg_match('/array[\s]*\((.*)\)/', $t_full_string, $t_match ) === 1 ) { |
280 |
// we have an array here |
281 |
$t_values = split( ',', trim( $t_match[1] ) ); |
282 |
foreach ( $t_values as $key => $value ) { |
283 |
Index: roadmap_page.php |
284 |
=================================================================== |
285 |
--- roadmap_page.php (revision 5369) |
286 |
+++ roadmap_page.php (revision 5587) |
287 |
@@ -195,7 +195,7 @@ |
288 |
$t_issue_id = $t_issue_ids[$k]; |
289 |
$t_issue_parent = $t_issue_parents[$k]; |
290 |
|
291 |
- if ( in_array( $t_issue_id, $t_cycle_ids ) || in_array( $t_parent_id, $t_cycle_ids ) ) { |
292 |
+ if ( in_array( $t_issue_id, $t_cycle_ids ) || in_array( $t_issue_parent, $t_cycle_ids ) ) { |
293 |
$t_cycle = true; |
294 |
} else { |
295 |
$t_cycle = false; |
296 |
Index: core.php |
297 |
=================================================================== |
298 |
--- core.php (revision 5369) |
299 |
+++ core.php (revision 5587) |
300 |
@@ -144,15 +144,33 @@ |
301 |
# OPENED ANYWHERE ELSE. |
302 |
require_once( $t_core_path.'database_api.php' ); |
303 |
|
304 |
+ # Basic browser detection |
305 |
+ $t_user_agent = $_SERVER['HTTP_USER_AGENT']; |
306 |
+ |
307 |
+ $t_browser_name = 'Normal'; |
308 |
+ if ( strpos( $t_user_agent, 'MSIE' ) ) { |
309 |
+ $t_browser_name = 'IE'; |
310 |
+ } |
311 |
+ |
312 |
# Headers to prevent caching |
313 |
# with option to bypass if running from script |
314 |
global $g_bypass_headers, $g_allow_browser_cache; |
315 |
if ( !isset( $g_bypass_headers ) && !headers_sent() ) { |
316 |
- if ( ! isset( $g_allow_browser_cache ) ) { |
317 |
- header( 'Pragma: no-cache' ); |
318 |
+ |
319 |
+ if ( isset( $g_allow_browser_cache ) ) { |
320 |
+ switch ( $t_browser_name ) { |
321 |
+ case 'IE': |
322 |
+ header( 'Cache-Control: private, proxy-revalidate' ); |
323 |
+ break; |
324 |
+ default: |
325 |
+ header( 'Cache-Control: private, must-revalidate' ); |
326 |
+ break; |
327 |
+ } |
328 |
+ |
329 |
+ } else { |
330 |
header( 'Cache-Control: no-store, no-cache, must-revalidate' ); |
331 |
- header( 'Cache-Control: post-check=0, pre-check=0', false ); |
332 |
} |
333 |
+ |
334 |
header( 'Expires: ' . gmdate( 'D, d M Y H:i:s \G\M\T', time() ) ); |
335 |
|
336 |
# SEND USER-DEFINED HEADERS |