Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: mantisbt/mantisbt
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: ddec728
Choose a base ref
...
head repository: mantisbt/mantisbt
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 627aa07
Choose a head ref
  • 4 commits
  • 5 files changed
  • 1 contributor

Commits on Mar 31, 2012

  1. Fix #4465: Add config to disable 'save login' feature 

    To increase security, the administrator may want to prevent users from
using a 'permanent' cookie, thus forcing them to authenticate each time
they start a new session.

The new config option 'g_allow_permanent_cookie' enables this.

Porting to master branch of the following 1.2.x commits:
- 5698617
- 6a9f3a8
- 568ee14
    @dregad
    dregad committed Mar 31, 2012

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    stepankuzmin Stepan Kuzmin
    GPG key ID: 41335DA6EE45C2B6
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    766a7d3 View commit details

  2. Documentation for new config $g_allow_permanent_cookie 

    Affects #4465
    @dregad
    dregad committed Mar 31, 2012

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    stepankuzmin Stepan Kuzmin
    GPG key ID: 41335DA6EE45C2B6
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    843b73c View commit details

  3. PHPdoc and whitespace fixes in config_defaults_inc.php 

    Removed < > around pre in comment for g_wrap_in_preformatted_text,
causing syntax error when compiling PHPdoc.
    @dregad
    dregad committed Mar 31, 2012

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    stepankuzmin Stepan Kuzmin
    GPG key ID: 41335DA6EE45C2B6
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    4eb7dac View commit details

  4. Added PHPdoc header for function config_is_private()

    @dregad
    dregad committed Mar 31, 2012

    Verified

    This commit was signed with the committer’s verified signature. The key has expired.
    stepankuzmin Stepan Kuzmin
    GPG key ID: 41335DA6EE45C2B6
    Expired
    Verified
    Learn about vigilant mode
    Copy the full SHA
    627aa07 View commit details
Showing with 46 additions and 12 deletions.
  1. +18 −8 config_defaults_inc.php
  2. +11 −2 core/config_api.php
  3. +9 −0 docbook/Admin_Guide/en-US/Configuration.xml
  4. +6 −2 login.php
  5. +2 −0 login_page.php
26 changes: 18 additions & 8 deletions config_defaults_inc.php
View file
Original file line number Diff line number Diff line change
@@ -1034,6 +1034,15 @@
*/
$g_cookie_time_length = 30000000;

/**
* Allow users to opt for a 'permanent' cookie when logging in
* Controls the display of the 'Remember my login in this browser' checkbox
* on the login page
* @see $g_cookie_time_length
* @global int $g_allow_permanent_cookie
*/
$g_allow_permanent_cookie = ON;

/**
* minutes to wait before document is stale (in minutes)
* @global int $g_content_expire
@@ -1734,9 +1743,9 @@
$g_max_dropdown_length = 40;

/**
* This flag conntrolls whether pre-formatted text (delimited by <pre> tags
* is wrapped to a maximum linelength (defaults to 100 chars in strings_api)
* If turned off, the display may be wide when viewing the text
* This flag controls whether pre-formatted text (delimited by HTML pre tags
* is wrapped to a maximum linelength (defaults to 100 chars in strings_api)
* If turned off, the display may be wide when viewing the text
* @global int $g_wrap_in_preformatted_text
*/
$g_wrap_in_preformatted_text = ON;
@@ -3495,9 +3504,9 @@
'?' => 'generic.gif' );

/**
*
*
* Content types which will be overriden when downloading files
*
*
* @global array $g_file_download_content_type_overrides
*/
$g_file_download_content_type_overrides = array (
@@ -4113,9 +4122,10 @@
*/
$g_global_settings = array(
'global_settings', 'admin_checks', 'allow_signup', 'allow_anonymous_login',
'anonymous_account', 'compress_html', 'content_expire', 'cookie_time_length', 'cookie_path',
'cookie_domain', 'cookie_version', 'cookie_prefix', 'string_cookie', 'project_cookie',
'view_all_cookie', 'manage_cookie', 'logout_cookie', 'bug_list_cookie', 'crypto_master_salt',
'anonymous_account', 'compress_html', 'content_expire', 'allow_permanent_cookie',
'cookie_time_length', 'cookie_path', 'cookie_domain', 'cookie_version',
'cookie_prefix', 'string_cookie', 'project_cookie', 'view_all_cookie',
'manage_cookie', 'logout_cookie', 'bug_list_cookie', 'crypto_master_salt',
'custom_headers', 'database_name', 'db_username', 'db_password', 'db_schema', 'db_type',
'db_table_prefix','db_table_suffix', 'display_errors', 'form_security_validation',
'hostname','html_valid_tags', 'html_valid_tags_single_line', 'default_language',
13 changes: 11 additions & 2 deletions core/config_api.php
View file
Original file line number Diff line number Diff line change
@@ -611,8 +611,17 @@ function config_eval( $p_value, $p_global = false ) {
return $t_value;
}

# list of configuration variable which may expose webserver details and shouldn't be
# exposed to users or webservices
/**
* Defines if a config variable is considered "private"
*
* The purpose of this function is to avoid exposure of potentially
* sensitive or confidential information to users or web services.
* This includes things such as webserver details, paths, usernames and
* passwords, hostnames/IP addresses, etc.
*
* @param string $p_config_var config variable to evaluate
* @return bool
*/
function config_is_private( $p_config_var ) {
switch( $p_config_var ) {
case 'hostname':
9 changes: 9 additions & 0 deletions docbook/Admin_Guide/en-US/Configuration.xml
View file
Original file line number Diff line number Diff line change
@@ -907,6 +907,15 @@
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>$g_allow_permanent_cookie</term>
<listitem>
<para>Allow users to opt for a 'permanent' cookie when logging in.
Controls the display of the 'Remember my login in this browser'
checkbox on the login page. See $g_cookie_time_length.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>$g_wait_time</term>
<listitem>
8 changes: 6 additions & 2 deletions login.php
View file
Original file line number Diff line number Diff line change
@@ -44,9 +44,11 @@
require_api( 'session_api.php' );
require_api( 'string_api.php' );

$t_allow_perm_login = ( ON == config_get( 'allow_permanent_cookie' ) );

$f_username = gpc_get_string( 'username', '' );
$f_password = gpc_get_string( 'password', '' );
$f_perm_login = gpc_get_bool( 'perm_login' );
$f_perm_login = $t_allow_perm_login && gpc_get_bool( 'perm_login' );
$t_return = string_url( string_sanitize_url( gpc_get_string( 'return', config_get( 'default_home_page' ) ) ) );
$f_from = gpc_get_string( 'from', '' );
$f_secure_session = gpc_get_bool( 'secure_session', false );
@@ -64,8 +66,10 @@
} else {
$t_redirect_url = 'login_page.php?return=' . $t_return .
'&error=1&username=' . urlencode( $f_username ) .
'&perm_login=' . ( $f_perm_login ? 1 : 0 ) .
'&secure_session=' . ( $f_secure_session ? 1 : 0 );
if( $t_allow_perm_login ) {
$t_redirect_url .= '&perm_login=' . ( $f_perm_login ? 1 : 0 );
}

if ( HTTP_AUTH == config_get( 'login_method' ) ) {
auth_http_prompt();
2 changes: 2 additions & 0 deletions login_page.php
View file
Original file line number Diff line number Diff line change
@@ -179,11 +179,13 @@
<span class="input"><input id="password" type="password" name="password" size="32" maxlength="<?php echo auth_get_password_max_size(); ?>" class="<?php echo $t_password_field_autofocus ?>" /></span>
<span class="label-style"></span>
</div>
<?php if( ON == config_get( 'allow_permanent_cookie' ) ) { ?>
<div class="field-container <?php echo helper_alternate_class_no_attribute(); ?>">
<label for="remember-login"><span><?php echo lang_get( 'save_login' ) ?></span></label>
<span class="input"><input id="remember-login" type="checkbox" name="perm_login" <?php echo ( $f_perm_login ? 'checked="checked" ' : '' ) ?>/></span>
<span class="label-style"></span>
</div>
<?php } ?>
<?php if ( $t_session_validation ) { ?>
<div class="field-container <?php echo helper_alternate_class_no_attribute(); ?>">
<label id="secure-session-label" for="secure-session"><span><?php echo lang_get( 'secure_session' ) ?></span></label>