Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: mantisbt/mantisbt
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 4f47fef
Choose a base ref
...
head repository: mantisbt/mantisbt
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: c72844b
Choose a head ref
  • 7 commits
  • 8 files changed
  • 1 contributor

Commits on Mar 30, 2012

  1. Revert "Prevent selection of released version as target" 

    This reverts commit 3af57d2.

The way this feature was implemented in release 1.2.9 introduced
regressions for several users.

Affects #11706
    @dregad
    dregad committed Mar 30, 2012

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    stepankuzmin Stepan Kuzmin
    GPG key ID: 41335DA6EE45C2B6
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    daf3c83 View commit details

  2. Fix #4465: Add config to disable 'save login' feature 

    To increase security, the administrator may want to prevent users from
using a 'permanent' cookie, thus forcing them to authenticate each time
they start a new session.

The new config option 'g_allow_permanent_cookie' enables this.
    @dregad
    dregad committed Mar 30, 2012

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    stepankuzmin Stepan Kuzmin
    GPG key ID: 41335DA6EE45C2B6
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    5698617 View commit details

  3. Documentation for new config $g_allow_permanent_cookie 

    Affects #4465
    @dregad
    dregad committed Mar 30, 2012

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    stepankuzmin Stepan Kuzmin
    GPG key ID: 41335DA6EE45C2B6
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    43fcb21 View commit details

  4. Add 'allow_permanent_cookie' to g_global_settings 

    Also reflowed the array definition to avoid long lines

Fixes #4465
    @dregad
    dregad committed Mar 30, 2012

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    stepankuzmin Stepan Kuzmin
    GPG key ID: 41335DA6EE45C2B6
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    6a9f3a8 View commit details

  5. Prevent setting permanent cookie using hand-crafted login.php 

    This commit prevents hand-crafted calls to login.php from setting a
permanent cookie when its use is disabled via allow_permanent_cookie
setting.

Thanks to Roland Becker for catching this.

Fixes #4465
    @dregad
    dregad committed Mar 30, 2012
    Copy the full SHA
    568ee14 View commit details

  6. PHPdoc and whitespace fixes in config_defaults_inc.php 

    Removed < > around pre in comment for g_wrap_in_preformatted_text,
causing syntax error when compiling PHPdoc.
    @dregad
    dregad committed Mar 30, 2012
    Copy the full SHA
    31fc7a6 View commit details

  7. Added PHPdoc header for function config_is_private()

    @dregad
    dregad committed Mar 30, 2012
    Copy the full SHA
    c72844b View commit details
Showing with 72 additions and 32 deletions.
  1. +0 −3 bug_actiongroup_page.php
  2. +3 −3 bug_report_page.php
  3. +6 −6 bug_update_advanced_page.php
  4. +29 −15 config_defaults_inc.php
  5. +11 −2 core/config_api.php
  6. +9 −0 docbook/adminguide/en/configuration.sgml
  7. +6 −2 login.php
  8. +8 −1 login_page.php
3 changes: 0 additions & 3 deletions bug_actiongroup_page.php
View file
Original file line number Diff line number Diff line change
@@ -265,9 +265,6 @@
print_enum_string_option_list( 'view_state', config_get( 'default_bug_view_status' ) );
break;
case 'UP_TARGET_VERSION':
print_version_option_list( '', $t_project_id, VERSION_FUTURE,
/* allow blank version */ true, /* include subprojects */ true );
break;
case 'UP_FIXED_IN_VERSION':
print_version_option_list( '', $t_project_id, VERSION_ALL,
/* allow blank version */ true, /* include subprojects */ true );
6 changes: 3 additions & 3 deletions bug_report_page.php
View file
Original file line number Diff line number Diff line change
@@ -210,7 +210,7 @@
</tr>
<?php
}

if ( $tpl_show_eta ) {
?>

@@ -226,7 +226,7 @@
</tr>
<?php
}

if ( $tpl_show_severity ) {
?>
<tr <?php echo helper_alternate_class() ?>>
@@ -413,7 +413,7 @@
</td>
<td>
<select <?php echo helper_get_tab_index() ?> name="target_version">
<?php print_version_option_list( '', null, VERSION_FUTURE ) ?>
<?php print_version_option_list() ?>
</select>
</td>
</tr>
12 changes: 6 additions & 6 deletions bug_update_advanced_page.php
View file
Original file line number Diff line number Diff line change
@@ -206,7 +206,7 @@

if ( $tpl_show_reporter ) {
echo '<tr ', helper_alternate_class(), '>';

$t_spacer = 4;

if ( $tpl_show_reporter ) {
@@ -240,7 +240,7 @@

if ( $tpl_show_handler || $tpl_show_due_date ) {
echo '<tr ', helper_alternate_class(), '>';

$t_spacer = 2;

# Assigned To
@@ -288,7 +288,7 @@
} else {
$t_spacer += 2;
}

# spacer
echo '<td colspan="', $t_spacer, '">&#160;</td>';

@@ -301,7 +301,7 @@

if ( $tpl_show_priority || $tpl_show_severity || $tpl_show_reproducibility ) {
echo '<tr ', helper_alternate_class(), '>';

$t_spacer = 0;

if ( $tpl_show_priority ) {
@@ -525,7 +525,7 @@
}

#
# Target Version, Fixed in Version
# Target Versiom, Fixed in Version
#

if ( $tpl_show_target_version || $tpl_show_fixed_in_version ) {
@@ -537,7 +537,7 @@
if ( $tpl_show_target_version ) {
echo '<td class="category">', lang_get( 'target_version' ), '</td>';
echo '<td><select ', helper_get_tab_index(), ' name="target_version">';
print_version_option_list( $tpl_bug->target_version, $tpl_bug->project_id, VERSION_FUTURE );
print_version_option_list( $tpl_bug->target_version, $tpl_bug->project_id, VERSION_ALL );
echo '</select></td>';
} else {
$t_spacer += 2;
44 changes: 29 additions & 15 deletions config_defaults_inc.php
View file
Original file line number Diff line number Diff line change
@@ -970,6 +970,15 @@
*/
$g_cookie_time_length = 30000000;

/**
* Allow users to opt for a 'permanent' cookie when logging in
* Controls the display of the 'Remember my login in this browser' checkbox
* on the login page
* @see $g_cookie_time_length
* @global int $g_allow_permanent_cookie
*/
$g_allow_permanent_cookie = ON;

/**
* minutes to wait before document is stale (in minutes)
* @global int $g_content_expire
@@ -1644,9 +1653,9 @@
$g_max_dropdown_length = 40;

/**
* This flag conntrolls whether pre-formatted text (delimited by <pre> tags
* is wrapped to a maximum linelength (defaults to 100 chars in strings_api)
* If turned off, the display may be wide when viewing the text
* This flag controls whether pre-formatted text (delimited by HTML pre tags
* is wrapped to a maximum line length (defaults to 100 chars in strings_api)
* If turned off, the display may be wide when viewing the text
* @global int $g_wrap_in_preformatted_text
*/
$g_wrap_in_preformatted_text = ON;
@@ -3885,18 +3894,23 @@
* @global array $g_global_settings
*/
$g_global_settings = array(
'path', 'icon_path', 'short_path', 'absolute_path', 'core_path', 'class_path', 'absolute_path_default_upload_folder',
'ldap_simulation_file_path', 'cookie_path', 'plugin_path', 'db_table_prefix', 'db_table_suffix', 'db_table',
'cookie_time_length', 'cookie_domain', 'cookie_version', 'cookie_prefix', 'string_cookie', 'project_cookie',
'view_all_cookie', 'manage_cookie', 'logout_cookie', 'bug_list_cookie', 'db_username', 'db_password', 'db_schema', 'db_type',
'hostname', 'allow_signup', 'database_name', 'show_queries_count', 'show_queries_threshold', 'show_queries_list',
'admin_checks', 'version_suffix', 'global_settings', 'use_iis', 'default_language', 'language_choices_arr',
'language_auto_map', 'fallback_language', 'use_javascript', 'minimal_jscss', 'display_errors', 'show_detailed_errors',
'stop_on_errors', 'login_method', 'fileinfo_magic_db_file', 'css_include_file', 'css_rtl_include_file', 'meta_include_file',
'allow_anonymous_login', 'anonymous_account', 'content_expire', 'html_valid_tags', 'html_valid_tags_single_line',
'custom_headers', 'rss_key_seed', 'plugins_enabled', 'session_handler', 'session_key', 'session_save_path',
'session_validation', 'form_security_validation', 'compress_html', 'bottom_include_page', 'top_include_page',
'default_home_page', 'logout_redirect_page', 'manual_url', 'logo_url', 'create_short_url', 'wiki_engine_url',
'path', 'icon_path', 'short_path', 'absolute_path', 'core_path', 'class_path',
'absolute_path_default_upload_folder', 'ldap_simulation_file_path', 'cookie_path',
'plugin_path', 'db_table_prefix', 'db_table_suffix', 'db_table', 'allow_permanent_cookie',
'cookie_time_length', 'cookie_domain', 'cookie_version', 'cookie_prefix',
'string_cookie', 'project_cookie', 'view_all_cookie', 'manage_cookie', 'logout_cookie',
'bug_list_cookie', 'db_username', 'db_password', 'db_schema', 'db_type', 'hostname',
'allow_signup', 'database_name', 'show_queries_count', 'show_queries_threshold',
'show_queries_list', 'admin_checks', 'version_suffix', 'global_settings', 'use_iis',
'default_language', 'language_choices_arr', 'language_auto_map', 'fallback_language',
'use_javascript', 'minimal_jscss', 'display_errors', 'show_detailed_errors',
'stop_on_errors', 'login_method', 'fileinfo_magic_db_file', 'css_include_file',
'css_rtl_include_file', 'meta_include_file', 'allow_anonymous_login', 'anonymous_account',
'content_expire', 'html_valid_tags', 'html_valid_tags_single_line', 'custom_headers',
'rss_key_seed', 'plugins_enabled', 'session_handler', 'session_key', 'session_save_path',
'session_validation', 'form_security_validation', 'compress_html', 'bottom_include_page',
'top_include_page', 'default_home_page', 'logout_redirect_page', 'manual_url',
'logo_url', 'create_short_url', 'wiki_engine_url',
);

/***************
13 changes: 11 additions & 2 deletions core/config_api.php
View file
Original file line number Diff line number Diff line change
@@ -600,8 +600,17 @@ function config_eval( $p_value, $p_global = false ) {
return $t_value;
}

# list of configuration variable which may expose webserver details and shouldn't be
# exposed to users or webservices
/**
* Defines if a config variable is considered "private"
*
* The purpose of this function is to avoid exposure of potentially
* sensitive or confidential information to users or web services.
* This includes things such as webserver details, paths, usernames and
* passwords, hostnames/IP addresses, etc.
*
* @param string $p_config_var config variable to evaluate
* @return bool
*/
function config_is_private( $p_config_var ) {
switch( $p_config_var ) {
case 'hostname':
9 changes: 9 additions & 0 deletions docbook/adminguide/en/configuration.sgml
View file
Original file line number Diff line number Diff line change
@@ -850,6 +850,15 @@
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>$g_allow_permanent_cookie</term>
<listitem>
<para>Allow users to opt for a 'permanent' cookie when logging in.
Controls the display of the 'Remember my login in this browser'
checkbox on the login page. See $g_cookie_time_length.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>$g_wait_time</term>
<listitem>
8 changes: 6 additions & 2 deletions login.php
View file
Original file line number Diff line number Diff line change
@@ -26,9 +26,11 @@
*/
require_once( 'core.php' );

$t_allow_perm_login = ( ON == config_get( 'allow_permanent_cookie' ) );

$f_username = gpc_get_string( 'username', '' );
$f_password = gpc_get_string( 'password', '' );
$f_perm_login = gpc_get_bool( 'perm_login' );
$f_perm_login = $t_allow_perm_login && gpc_get_bool( 'perm_login' );
$t_return = string_url( string_sanitize_url( gpc_get_string( 'return', config_get( 'default_home_page' ) ) ) );
$f_from = gpc_get_string( 'from', '' );
$f_secure_session = gpc_get_bool( 'secure_session', false );
@@ -46,8 +48,10 @@
} else {
$t_redirect_url = 'login_page.php?return=' . $t_return .
'&error=1&username=' . urlencode( $f_username ) .
'&perm_login=' . ( $f_perm_login ? 1 : 0 ) .
'&secure_session=' . ( $f_secure_session ? 1 : 0 );
if( $t_allow_perm_login ) {
$t_redirect_url .= '&perm_login=' . ( $f_perm_login ? 1 : 0 );
}

if ( HTTP_AUTH == config_get( 'login_method' ) ) {
auth_http_prompt();
9 changes: 8 additions & 1 deletion login_page.php
View file
Original file line number Diff line number Diff line change
@@ -139,6 +139,9 @@
<input type="password" name="password" size="32" maxlength="<?php echo auth_get_password_max_size(); ?>" />
</td>
</tr>
<?php
if( ON == config_get( 'allow_permanent_cookie' ) ) {
?>
<tr class="row-1">
<td class="category">
<?php echo lang_get( 'save_login' ) ?>
@@ -147,7 +150,11 @@
<input type="checkbox" name="perm_login" <?php echo ( $f_perm_login ? 'checked="checked" ' : '' ) ?>/>
</td>
</tr>
<?php if ( $t_session_validation ) { ?>
<?php
}

if ( $t_session_validation ) {
?>
<tr class="row-2">
<td class="category">
<?php echo lang_get( 'secure_session' ) ?>