Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: mantisbt/mantisbt
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: cad51f2
Choose a base ref
...
head repository: mantisbt/mantisbt
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 955d1cb
Choose a head ref
  • 3 commits
  • 5 files changed
  • 1 contributor

Commits on Sep 5, 2011

  1. Remove use of filter_var(...) for master-1.2.x 

    Robert Munteanu correctly mentioned on the mailing list that the
master-1.2.x branch needs to work with PHP 5.1. The filter_var(...)
function is not available in PHP <5.2 and therefore we can't use it in
the master-1.2.x branch.

We can achieve similar results by removing all null characters from the
string (\0). This is OK for our use case which is the use of
$_SERVER['SCRIPT_NAME'] - a value that is set by the server and cannot
be manipulated by remote users (like PHP_SELF).
    @davidhicks
    davidhicks committed Sep 5, 2011
    Copy the full SHA
    cb67e6a View commit details

  2. Bump version to 1.2.8 and update release notes

    @davidhicks
    davidhicks committed Sep 5, 2011
    Copy the full SHA
    9883363 View commit details

  3. Fix #13141: Incorrect parameters to config_get function 

    Thanks to Todd Whitesel for finding this problem in filter_api.php and
to Roland Becker for providing further assistance.

I have grepped the source code and reviewed all other calls to
config_get to ensure they correctly use parameters. There was one
additional bug discovered in bug_report_page.php.
    @davidhicks
    davidhicks committed Sep 5, 2011
    Copy the full SHA
    955d1cb View commit details
Showing with 27 additions and 4 deletions.
  1. +1 −1 bug_report_page.php
  2. +1 −1 config_defaults_inc.php
  3. +1 −1 core/constant_inc.php
  4. +1 −1 core/filter_api.php
  5. +23 −0 doc/RELEASE
2 changes: 1 addition & 1 deletion bug_report_page.php
View file
Original file line number Diff line number Diff line change
@@ -56,7 +56,7 @@
$t_bug = bug_get( $f_master_bug_id, true );

# the user can at least update the master bug (needed to add the relationship)...
access_ensure_bug_level( config_get( 'update_bug_threshold', null, $t_bug->project_id ), $f_master_bug_id );
access_ensure_bug_level( config_get( 'update_bug_threshold', null, null, $t_bug->project_id ), $f_master_bug_id );

#@@@ (thraxisp) Note that the master bug is cloned into the same project as the master, independent of
# what the current project is set to.
2 changes: 1 addition & 1 deletion config_defaults_inc.php
View file
Original file line number Diff line number Diff line change
@@ -113,7 +113,7 @@
}

$t_self = $_SERVER['SCRIPT_NAME'];
$t_self = filter_var( $t_self, FILTER_SANITIZE_STRING );
$t_self = trim( str_replace( "\0", '', $t_self ) );
$t_path = str_replace( basename( $t_self ), '', $t_self );
$t_path = basename( $t_path ) == "admin" ? dirname( $t_path ) . '/' : $t_path;
$t_path = basename( $t_path ) == "soap" ? dirname( dirname( $t_path ) ) . '/' : $t_path;
2 changes: 1 addition & 1 deletion core/constant_inc.php
View file
Original file line number Diff line number Diff line change
@@ -14,7 +14,7 @@
# You should have received a copy of the GNU General Public License
# along with MantisBT. If not, see <http://www.gnu.org/licenses/>.

define( 'MANTIS_VERSION', '1.2.7' );
define( 'MANTIS_VERSION', '1.2.8' );

# --- constants -------------------
# magic numbers
2 changes: 1 addition & 1 deletion core/filter_api.php
View file
Original file line number Diff line number Diff line change
@@ -4484,7 +4484,7 @@ function filter_db_get_filter( $p_filter_id, $p_user_id = null ) {
}

# check that the user has access to non current filters
if(( ALL_PROJECTS <= $row['project_id'] ) && ( !is_blank( $row['name'] ) ) && ( !access_has_project_level( config_get( 'stored_query_use_threshold', $row['project_id'], $t_user_id ) ) ) ) {
if(( ALL_PROJECTS <= $row['project_id'] ) && ( !is_blank( $row['name'] ) ) && ( !access_has_project_level( config_get( 'stored_query_use_threshold', null, $t_user_id, $row['project_id'] ) ) ) ) {
return null;
}

23 changes: 23 additions & 0 deletions doc/RELEASE
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,27 @@
MantisBT Release Notes

1.2.8 Security Release (2011-09-05)
-------------------------------------------------

MantisBT 1.2.8 is a security update for the stable 1.2.x branch. All
installations that are currently running any 1.2.x version are advised to
upgrade to this release.

Paulino Calderon from Websec, High-Tech Bridge Security Research Lab and Paul
Richards discovered 3 vulnerabilities:
- 1x local file inclusion (LFI)/directory traversal
- 2x cross site scriptin (XSS)

These vulnerabilities could have very severe consequences for users of
MantisBT, particularly as a result of the local file inclusion vulnerability.
If an attacker can upload their own PHP script to the server as an attachment,
they may be able to execute this script using the LFI vulnerability.

Refer to issues #13191 and #13281 for detailed information.

A full changelog for the 1.2.x series can be found on the official site. [1]


1.2.7 Security Release (2011-08-19)
-------------------------------------------------

@@ -182,6 +204,7 @@ There have also been many improvements to the codebase beyond adding features:

[1] The changelog is split between multiple releases:

1.2.8 http://www.mantisbt.org/bugs/changelog_page.php?version_id=139
1.2.7 http://www.mantisbt.org/bugs/changelog_page.php?version_id=138
1.2.6 http://www.mantisbt.org/bugs/changelog_page.php?version_id=114
1.2.5 http://www.mantisbt.org/bugs/changelog_page.php?version_id=113