| 1 |
pva 08/09/29 07:00:23 |
| 2 |
|
| 3 |
Added: mantisbt-1.1.2-svn-5369:5587.patch |
| 4 |
Removed: mantisbt-1.0.8-avoid-XS-type-in-schema.php.patch |
| 5 |
mantisbt-1.0.8-avoid-XSS-in-file_api.php.patch |
| 6 |
Log: |
| 7 |
Pushing fixes from svn, should fix security issue #238570, thank Robert Buchholz for report. Remove old. |
| 8 |
(Portage version: 2.2_rc11/cvs/Linux 2.6.26-gentoo-r1 i686) |
| 9 |
|
| 10 |
Revision Changes Path |
| 11 |
1.1 www-apps/mantisbt/files/mantisbt-1.1.2-svn-5369:5587.patch |
| 12 |
|
| 13 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-apps/mantisbt/files/mantisbt-1.1.2-svn-5369:5587.patch?rev=1.1&view=markup |
| 14 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/www-apps/mantisbt/files/mantisbt-1.1.2-svn-5369:5587.patch?rev=1.1&content-type=text/plain |
| 15 |
|
| 16 |
Index: mantisbt-1.1.2-svn-5369:5587.patch |
| 17 |
=================================================================== |
| 18 |
Index: doc/ChangeLog |
| 19 |
=================================================================== |
| 20 |
--- doc/ChangeLog (revision 5369) |
| 21 |
+++ doc/ChangeLog (revision 5587) |
| 22 |
@@ -2,6 +2,8 @@ |
| 23 |
|
| 24 |
2008.06.17 - 1.1.2 |
| 25 |
==================== |
| 26 |
+This release focused on fixing few security issues; also includes assorted fixes for translations, usability and compatibility (most notably, with postgres) and a nasty memory leak on the string API causing incomplete rendering of pages. All users are advised to upgrade. |
| 27 |
+ |
| 28 |
- 0008974: [security] XSS Vulnerability in filters (thraxisp) - closed. |
| 29 |
- 0008975: [security] CSRF Vulnerabilities in user_create (jreese) - closed. |
| 30 |
- 0008976: [security] Remote Code Execution in adm_config (giallu) - closed. |
| 31 |
Index: config_defaults_inc.php |
| 32 |
=================================================================== |
| 33 |
--- config_defaults_inc.php (revision 5369) |
| 34 |
+++ config_defaults_inc.php (revision 5587) |
| 35 |
@@ -149,6 +149,9 @@ |
| 36 |
# 'memcached' -> Memcached storage sessions |
| 37 |
$g_session_handler = 'php'; |
| 38 |
|
| 39 |
+ # Session save path. If false, uses default value as set by session handler. |
| 40 |
+ $g_session_save_path = false; |
| 41 |
+ |
| 42 |
############################# |
| 43 |
# Configuration Settings |
| 44 |
############################# |
| 45 |
@@ -1938,4 +1941,4 @@ |
| 46 |
|
| 47 |
# The twitter account password. |
| 48 |
$g_twitter_password = ''; |
| 49 |
-?> |
| 50 |
+ |
| 51 |
Index: bug_graph_bystatus.php |
| 52 |
=================================================================== |
| 53 |
--- bug_graph_bystatus.php (revision 5369) |
| 54 |
+++ bug_graph_bystatus.php (revision 5587) |
| 55 |
@@ -148,6 +148,8 @@ |
| 56 |
} |
| 57 |
|
| 58 |
ksort($t_view_status); |
| 59 |
+ $t_label_string = lang_get('orct'); //use the (open/resolved/closed/total) label |
| 60 |
+ $t_label_strings = explode('/', substr($t_label_string, 1, strlen($t_label_string)-2)); |
| 61 |
|
| 62 |
// add headers for table |
| 63 |
if ($f_show_as_table) { |
| 64 |
@@ -159,9 +161,9 @@ |
| 65 |
html_body_begin(); |
| 66 |
echo '<table class="width100"><tr><td></td>'; |
| 67 |
if ($f_summary) { |
| 68 |
- echo '<th>' . lang_get_defaulted('open') . '</th>'; |
| 69 |
- echo '<th>' . lang_get_defaulted('resolved') . '</th>'; |
| 70 |
- echo '<th>' . lang_get_defaulted('closed') . '</th>'; |
| 71 |
+ echo '<th>' . $t_label_strings[0] . '</th>'; |
| 72 |
+ echo '<th>' . $t_label_strings[1] . '</th>'; |
| 73 |
+ echo '<th>' . $t_label_strings[2] . '</th>'; |
| 74 |
} else { |
| 75 |
foreach ( $t_view_status as $t_status => $t_label ) { |
| 76 |
echo '<th>'.$t_label.' ('.$t_status.')</th>'; |
| 77 |
@@ -176,9 +178,9 @@ |
| 78 |
$t_labels = array(); |
| 79 |
$i = 0; |
| 80 |
if ($f_summary) { |
| 81 |
- $t_labels[++$i] = lang_get_defaulted('open'); |
| 82 |
- $t_labels[++$i] = lang_get_defaulted('resolved'); |
| 83 |
- $t_labels[++$i] = lang_get_defaulted('closed'); |
| 84 |
+ $t_labels[++$i] = $t_label_strings[0]; |
| 85 |
+ $t_labels[++$i] = $t_label_strings[1]; |
| 86 |
+ $t_labels[++$i] = $t_label_strings[2]; |
| 87 |
} else { |
| 88 |
foreach ( $t_view_status as $t_status => $t_label ) { |
| 89 |
$t_labels[++$i] = isset($t_status_labels[$t_status]) ? $t_status_labels[$t_status] : lang_get_defaulted($t_label); |
| 90 |
@@ -228,6 +230,6 @@ |
| 91 |
html_body_end(); |
| 92 |
html_end(); |
| 93 |
} else { |
| 94 |
- graph_bydate( $t_metrics, $t_labels, lang_get( 'by_category' ), $f_width, $f_width * $t_ar ); |
| 95 |
+ graph_bydate( $t_metrics, $t_labels, lang_get( 'by_status' ), $f_width, $f_width * $t_ar ); |
| 96 |
} |
| 97 |
?> |
| 98 |
\ No newline at end of file |
| 99 |
Index: manage_user_prune.php |
| 100 |
=================================================================== |
| 101 |
--- manage_user_prune.php (revision 5369) |
| 102 |
+++ manage_user_prune.php (revision 5587) |
| 103 |
@@ -1,4 +1,4 @@ |
| 104 |
-2<?php |
| 105 |
+<?php |
| 106 |
# Mantis - a php based bugtracking system |
| 107 |
|
| 108 |
# Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@×××××××.org |
| 109 |
Index: manage_proj_edit_page.php |
| 110 |
=================================================================== |
| 111 |
--- manage_proj_edit_page.php (revision 5369) |
| 112 |
+++ manage_proj_edit_page.php (revision 5587) |
| 113 |
@@ -527,7 +527,8 @@ |
| 114 |
<td class="center"> |
| 115 |
<?php |
| 116 |
# You need global permissions to edit custom field defs |
| 117 |
- print_button( "manage_proj_custom_field_remove.php?field_id={$t_field_id}&project_id={$f_project_id}", lang_get( 'remove_link' ) ); |
| 118 |
+ $t_remove_token = form_security_param( 'manage_proj_custom_field_remove' ); |
| 119 |
+ print_button( "manage_proj_custom_field_remove.php?field_id={$t_field_id}&project_id={$f_project_id}$t_remove_token", lang_get( 'remove_link' ) ); |
| 120 |
?> |
| 121 |
</td> |
| 122 |
</tr> |
| 123 |
Index: core/bug_api.php |
| 124 |
=================================================================== |
| 125 |
--- core/bug_api.php (revision 5369) |
| 126 |
+++ core/bug_api.php (revision 5587) |
| 127 |
@@ -1264,9 +1264,6 @@ |
| 128 |
# the relationship type is already set. Nothing to do |
| 129 |
} |
| 130 |
else if ( $t_id_relationship > 0 ) { |
| 131 |
- # there is already a relationship between them -> we have to update it and not to add a new one |
| 132 |
- helper_ensure_confirmed( lang_get( 'replace_relationship_sure_msg' ), lang_get( 'replace_relationship_button' ) ); |
| 133 |
- |
| 134 |
# Update the relationship |
| 135 |
relationship_update( $t_id_relationship, $p_bug_id, $p_duplicate_id, BUG_DUPLICATE ); |
| 136 |
|
| 137 |
Index: core/print_api.php |
| 138 |
=================================================================== |
| 139 |
--- core/print_api.php (revision 5369) |
| 140 |
+++ core/print_api.php (revision 5587) |
| 141 |
@@ -304,7 +304,7 @@ |
| 142 |
?> |
| 143 |
<input type="hidden" id="tag_separator" value="<?php echo config_get( 'tag_separator' ) ?>" /> |
| 144 |
<input type="text" name="tag_string" id="tag_string" size="40" value="<?php echo string_attribute( $p_string ) ?>" /> |
| 145 |
- <select <?php echo helper_get_tab_index() ?> name="tag_select" id="tag_select"> |
| 146 |
+ <select <?php echo helper_get_tab_index() ?> name="tag_select" id="tag_select" onchange="tag_string_append( this.options[ this.selectedIndex ].text );"> |
| 147 |
<?php print_tag_option_list( $p_bug_id ); ?> |
| 148 |
</select> |
| 149 |
<?php |
| 150 |
@@ -334,7 +334,7 @@ |
| 151 |
|
| 152 |
echo '<option value="0">',lang_get( 'tag_existing' ),'</option>'; |
| 153 |
while ( $row = db_fetch_array( $result ) ) { |
| 154 |
- echo '<option value="',$row['id'],'" onclick="tag_string_append(\'',$row['name'],'\')">',$row['name'],'</option>'; |
| 155 |
+ echo '<option value="',$row['id'],'">',$row['name'],'</option>'; |
| 156 |
} |
| 157 |
} |
| 158 |
|
| 159 |
Index: core/user_api.php |
| 160 |
=================================================================== |
| 161 |
--- core/user_api.php (revision 5369) |
| 162 |
+++ core/user_api.php (revision 5587) |
| 163 |
@@ -655,10 +655,22 @@ |
| 164 |
} else { |
| 165 |
$t_default_image = config_get( 'default_avatar' ); |
| 166 |
$t_size = 80; |
| 167 |
- $t_avatar_url = "http://www.gravatar.com/avatar.php?gravatar_id=" . md5( $t_email ) . |
| 168 |
- "&default=" . urlencode( $t_default_image ) . |
| 169 |
- "&size=" . $t_size . |
| 170 |
- "&rating=G"; |
| 171 |
+ |
| 172 |
+ $t_use_ssl = false; |
| 173 |
+ if ( isset( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) { |
| 174 |
+ $t_use_ssl = true; |
| 175 |
+ } |
| 176 |
+ |
| 177 |
+ if ( !$t_use_ssl ) { |
| 178 |
+ $t_gravatar_domain = 'http://www.gravatar.com/'; |
| 179 |
+ } else { |
| 180 |
+ $t_gravatar_domain = 'https://secure.gravatar.com/'; |
| 181 |
+ } |
| 182 |
+ |
| 183 |
+ $t_avatar_url = $t_gravatar_domain . 'avatar.php?gravatar_id=' . md5( $t_email ) . |
| 184 |
+ '&default=' . urlencode( $t_default_image ) . |
| 185 |
+ '&size=' . $t_size . |
| 186 |
+ '&rating=G'; |
| 187 |
$t_result = array( $t_avatar_url, $t_size, $t_size ); |
| 188 |
} |
| 189 |
|
| 190 |
Index: core/bugnote_api.php |
| 191 |
=================================================================== |
| 192 |
--- core/bugnote_api.php (revision 5369) |
| 193 |
+++ core/bugnote_api.php (revision 5587) |
| 194 |
@@ -99,7 +99,7 @@ |
| 195 |
# Add a bugnote to a bug |
| 196 |
# |
| 197 |
# return the ID of the new bugnote |
| 198 |
- function bugnote_add ( $p_bug_id, $p_bugnote_text, $p_time_tracking = '0:00', $p_private = false, $p_type = 0, $p_attr = '', $p_user_id = null ) { |
| 199 |
+ function bugnote_add ( $p_bug_id, $p_bugnote_text, $p_time_tracking = '0:00', $p_private = false, $p_type = 0, $p_attr = '', $p_user_id = null, $p_send_email = TRUE ) { |
| 200 |
$c_bug_id = db_prepare_int( $p_bug_id ); |
| 201 |
$c_bugnote_text = db_prepare_string( $p_bugnote_text ); |
| 202 |
$c_time_tracking = db_prepare_time( $p_time_tracking ); |
| 203 |
Index: core/session_api.php |
| 204 |
=================================================================== |
| 205 |
--- core/session_api.php (revision 5369) |
| 206 |
+++ core/session_api.php (revision 5587) |
| 207 |
@@ -49,6 +49,15 @@ |
| 208 |
*/ |
| 209 |
class MantisPHPSession extends MantisSession { |
| 210 |
function __construct() { |
| 211 |
+ $t_session_save_path = config_get_global( 'session_save_path' ); |
| 212 |
+ if ( $t_session_save_path ) { |
| 213 |
+ session_save_path( $t_session_save_path ); |
| 214 |
+ } |
| 215 |
+ |
| 216 |
+ session_cache_limiter( 'private_no_expire' ); |
| 217 |
+ if ( isset( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) { |
| 218 |
+ session_set_cookie_params( 0, config_get( 'cookie_path' ), config_get( 'cookie_domain' ), true, true ); |
| 219 |
+ } |
| 220 |
session_start(); |
| 221 |
$this->id = session_id(); |
| 222 |
} |
| 223 |
Index: core/string_api.php |
| 224 |
=================================================================== |
| 225 |
--- core/string_api.php (revision 5369) |
| 226 |
+++ core/string_api.php (revision 5587) |
| 227 |
@@ -306,7 +306,7 @@ |
| 228 |
if ( !isset( $string_process_bug_link_callback[$p_include_anchor][$p_detail_info][$p_fqdn] ) ) { |
| 229 |
if ($p_include_anchor) { |
| 230 |
$string_process_bug_link_callback[$p_include_anchor][$p_detail_info][$p_fqdn] = create_function('$p_array',' |
| 231 |
- if (bug_exists( (int)$p_array[2] ) ) { |
| 232 |
+ if ( bug_exists( (int)$p_array[2] ) && access_has_bug_level( VIEWER, (int)$p_array[2] ) ) { |
| 233 |
return $p_array[1] . string_get_bug_view_link( (int)$p_array[2], null, ' . ($p_detail_info ? 'true' : 'false') . ', ' . ($p_fqdn ? 'true' : 'false') . '); |
| 234 |
} else { |
| 235 |
return $p_array[0]; |
| 236 |
Index: bug_update.php |
| 237 |
=================================================================== |
| 238 |
--- bug_update.php (revision 5369) |
| 239 |
+++ bug_update.php (revision 5587) |
| 240 |
@@ -31,8 +31,6 @@ |
| 241 |
require_once( $t_core_path.'bugnote_api.php' ); |
| 242 |
require_once( $t_core_path.'custom_field_api.php' ); |
| 243 |
|
| 244 |
- form_security_validate( 'bug_update' ); |
| 245 |
- |
| 246 |
$f_bug_id = gpc_get_int( 'bug_id' ); |
| 247 |
$f_update_mode = gpc_get_bool( 'update_mode', FALSE ); # set if called from generic update page |
| 248 |
$f_new_status = gpc_get_int( 'status', bug_get_field( $f_bug_id, 'status' ) ); |
| 249 |
@@ -140,6 +138,8 @@ |
| 250 |
} |
| 251 |
} |
| 252 |
|
| 253 |
+ form_security_validate( 'bug_update' ); |
| 254 |
+ |
| 255 |
$t_notify = true; |
| 256 |
$t_bug_note_set = false; |
| 257 |
if ( ( $t_old_bug_status != $t_bug_data->status ) && ( FALSE == $f_update_mode ) ) { |
| 258 |
Index: manage_config_work_threshold_page.php |
| 259 |
=================================================================== |
| 260 |
--- manage_config_work_threshold_page.php (revision 5369) |
| 261 |
+++ manage_config_work_threshold_page.php (revision 5587) |
| 262 |
@@ -322,6 +322,7 @@ |
| 263 |
|
| 264 |
if ( $t_show_submit && ( 0 < count( $t_overrides ) ) ) { |
| 265 |
echo "<div class=\"right\"><form name=\"threshold_config_action\" method=\"post\" action=\"manage_config_revert.php\">\n"; |
| 266 |
+ echo form_security_field( 'manage_config_revert' ); |
| 267 |
echo "<input name=\"revert\" type=\"hidden\" value=\"" . implode( ',', $t_overrides ) . "\"></input>"; |
| 268 |
echo "<input name=\"project\" type=\"hidden\" value=\"$t_project_id\"></input>"; |
| 269 |
echo "<input name=\"return\" type=\"hidden\" value=\"" . $_SERVER['PHP_SELF'] ."\"></input>"; |
| 270 |
Index: adm_config_set.php |
| 271 |
=================================================================== |
| 272 |
--- adm_config_set.php (revision 5369) |
| 273 |
+++ adm_config_set.php (revision 5587) |
| 274 |
@@ -81,7 +81,7 @@ |
| 275 |
# 2. simple arrays with the form: array( a, b, c, d ) |
| 276 |
# 3. associative arrays with the form: array( a=>1, b=>2, c=>3, d=>4 ) |
| 277 |
$t_full_string = trim( $f_value ); |
| 278 |
- if ( preg_match('/array\((.*)\)/', $t_full_string, $t_match ) === 1 ) { |
| 279 |
+ if ( preg_match('/array[\s]*\((.*)\)/', $t_full_string, $t_match ) === 1 ) { |
| 280 |
// we have an array here |
| 281 |
$t_values = split( ',', trim( $t_match[1] ) ); |
| 282 |
foreach ( $t_values as $key => $value ) { |
| 283 |
Index: roadmap_page.php |
| 284 |
=================================================================== |
| 285 |
--- roadmap_page.php (revision 5369) |
| 286 |
+++ roadmap_page.php (revision 5587) |
| 287 |
@@ -195,7 +195,7 @@ |
| 288 |
$t_issue_id = $t_issue_ids[$k]; |
| 289 |
$t_issue_parent = $t_issue_parents[$k]; |
| 290 |
|
| 291 |
- if ( in_array( $t_issue_id, $t_cycle_ids ) || in_array( $t_parent_id, $t_cycle_ids ) ) { |
| 292 |
+ if ( in_array( $t_issue_id, $t_cycle_ids ) || in_array( $t_issue_parent, $t_cycle_ids ) ) { |
| 293 |
$t_cycle = true; |
| 294 |
} else { |
| 295 |
$t_cycle = false; |
| 296 |
Index: core.php |
| 297 |
=================================================================== |
| 298 |
--- core.php (revision 5369) |
| 299 |
+++ core.php (revision 5587) |
| 300 |
@@ -144,15 +144,33 @@ |
| 301 |
# OPENED ANYWHERE ELSE. |
| 302 |
require_once( $t_core_path.'database_api.php' ); |
| 303 |
|
| 304 |
+ # Basic browser detection |
| 305 |
+ $t_user_agent = $_SERVER['HTTP_USER_AGENT']; |
| 306 |
+ |
| 307 |
+ $t_browser_name = 'Normal'; |
| 308 |
+ if ( strpos( $t_user_agent, 'MSIE' ) ) { |
| 309 |
+ $t_browser_name = 'IE'; |
| 310 |
+ } |
| 311 |
+ |
| 312 |
# Headers to prevent caching |
| 313 |
# with option to bypass if running from script |
| 314 |
global $g_bypass_headers, $g_allow_browser_cache; |
| 315 |
if ( !isset( $g_bypass_headers ) && !headers_sent() ) { |
| 316 |
- if ( ! isset( $g_allow_browser_cache ) ) { |
| 317 |
- header( 'Pragma: no-cache' ); |
| 318 |
+ |
| 319 |
+ if ( isset( $g_allow_browser_cache ) ) { |
| 320 |
+ switch ( $t_browser_name ) { |
| 321 |
+ case 'IE': |
| 322 |
+ header( 'Cache-Control: private, proxy-revalidate' ); |
| 323 |
+ break; |
| 324 |
+ default: |
| 325 |
+ header( 'Cache-Control: private, must-revalidate' ); |
| 326 |
+ break; |
| 327 |
+ } |
| 328 |
+ |
| 329 |
+ } else { |
| 330 |
header( 'Cache-Control: no-store, no-cache, must-revalidate' ); |
| 331 |
- header( 'Cache-Control: post-check=0, pre-check=0', false ); |
| 332 |
} |
| 333 |
+ |
| 334 |
header( 'Expires: ' . gmdate( 'D, d M Y H:i:s \G\M\T', time() ) ); |
| 335 |
|
| 336 |
# SEND USER-DEFINED HEADERS |
Archives