Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/www-apps/mantisbt/files
diff options
context:
space:
mode:
authorPeter Volkov <pva@gentoo.org>2008-09-29 07:00:22 +0000
committerPeter Volkov <pva@gentoo.org>2008-09-29 07:00:22 +0000
commit7ec5ec3aea3c99a2a4394754f5f80d7b8543c8c4 (patch)
tree16a0b4fc56447023af2dcb537e788b42631e519a /www-apps/mantisbt/files
parentUnmasking mediawiki-1.13.0 as broken ebuild was removed from the tree. (diff)
downloadhistorical-7ec5ec3aea3c99a2a4394754f5f80d7b8543c8c4.tar.gz
historical-7ec5ec3aea3c99a2a4394754f5f80d7b8543c8c4.tar.bz2
historical-7ec5ec3aea3c99a2a4394754f5f80d7b8543c8c4.zip
Pushing fixes from svn, should fix security issue #238570, thank Robert Buchholz for report. Remove old.
Package-Manager: portage-2.2_rc11/cvs/Linux 2.6.26-gentoo-r1 i686
Diffstat (limited to 'www-apps/mantisbt/files')
-rw-r--r--www-apps/mantisbt/files/mantisbt-1.0.8-avoid-XS-type-in-schema.php.patch87
-rw-r--r--www-apps/mantisbt/files/mantisbt-1.0.8-avoid-XSS-in-file_api.php.patch13
-rw-r--r--www-apps/mantisbt/files/mantisbt-1.1.2-svn-5369:5587.patch319
3 files changed, 319 insertions, 100 deletions
diff --git a/www-apps/mantisbt/files/mantisbt-1.0.8-avoid-XS-type-in-schema.php.patch b/www-apps/mantisbt/files/mantisbt-1.0.8-avoid-XS-type-in-schema.php.patch
deleted file mode 100644
index 1957db63b009..000000000000
--- a/www-apps/mantisbt/files/mantisbt-1.0.8-avoid-XS-type-in-schema.php.patch
+++ /dev/null
@@ -1,87 +0,0 @@
---- admin/schema.php.orig 2007-08-12 09:51:24.000000000 +0400
-+++ admin/schema.php 2007-08-12 09:53:25.000000000 +0400
-@@ -26,7 +26,7 @@
- user_id I DEFAULT '0' PRIMARY,
- access_reqd I DEFAULT '0',
- type I DEFAULT '90',
-- value XS NOTNULL",
-+ value XL NOTNULL",
- Array('mysql' => 'TYPE=MyISAM', 'pgsql' => 'WITHOUT OIDS')));
- $upgrade[] = Array('CreateIndexSQL',Array('idx_config',config_get('mantis_config_table'),'config_id'));
-
-@@ -108,9 +108,9 @@
-
- $upgrade[] = Array('CreateTableSQL',Array(config_get('mantis_bug_text_table'),"
- id I PRIMARY UNSIGNED NOTNULL AUTOINCREMENT,
-- description XS NOTNULL,
-- steps_to_reproduce XS NOTNULL,
-- additional_information XS NOTNULL
-+ description XL NOTNULL,
-+ steps_to_reproduce XL NOTNULL,
-+ additional_information XL NOTNULL
- ",Array('mysql' => 'TYPE=MyISAM', 'pgsql' => 'WITHOUT OIDS')));
-
- $upgrade[] = Array('CreateTableSQL',Array(config_get('mantis_bugnote_table'),"
-@@ -129,7 +129,7 @@
-
- $upgrade[] = Array('CreateTableSQL',Array(config_get('mantis_bugnote_text_table'),"
- id I UNSIGNED NOTNULL PRIMARY AUTOINCREMENT,
-- note XS NOTNULL
-+ note XL NOTNULL
- ",Array('mysql' => 'TYPE=MyISAM', 'pgsql' => 'WITHOUT OIDS')));
-
- $upgrade[] = Array('CreateTableSQL',Array(config_get('mantis_custom_field_project_table'),"
-@@ -174,7 +174,7 @@
- project_id I NOTNULL DEFAULT '0',
- is_public L DEFAULT NULL,
- name C(64) NOTNULL DEFAULT \" '' \",
-- filter_string XS NOTNULL
-+ filter_string XL NOTNULL
- ",Array('mysql' => 'TYPE=MyISAM', 'pgsql' => 'WITHOUT OIDS')));
-
- $upgrade[] = Array('CreateTableSQL',Array(config_get('mantis_news_table'),"
-@@ -186,7 +186,7 @@
- view_state I2 NOTNULL DEFAULT '10',
- announcement L NOTNULL DEFAULT '0',
- headline C(64) NOTNULL DEFAULT \" '' \",
-- body XS NOTNULL
-+ body XL NOTNULL
- ",Array('mysql' => 'TYPE=MyISAM', 'pgsql' => 'WITHOUT OIDS')));
-
- $upgrade[] = Array('CreateTableSQL',Array(config_get('mantis_project_category_table'),"
-@@ -222,7 +222,7 @@
- view_state I2 NOTNULL DEFAULT '10',
- access_min I2 NOTNULL DEFAULT '10',
- file_path C(250) NOTNULL DEFAULT \" '' \",
-- description XS NOTNULL
-+ description XL NOTNULL
- ",Array('mysql' => 'TYPE=MyISAM', 'pgsql' => 'WITHOUT OIDS')));
- $upgrade[] = Array('CreateIndexSQL',Array('idx_project_id',config_get('mantis_project_table'),'id'));
- $upgrade[] = Array('CreateIndexSQL',Array('idx_project_name',config_get('mantis_project_table'),'name',Array('UNIQUE')));
-@@ -240,7 +240,7 @@
- project_id I UNSIGNED NOTNULL DEFAULT '0',
- version C(64) NOTNULL DEFAULT \" '' \",
- date_order T NOTNULL DEFAULT '1970-01-01 00:00:01',
-- description XS NOTNULL,
-+ description XL NOTNULL,
- released L NOTNULL DEFAULT '1'
- ",Array('mysql' => 'TYPE=MyISAM', 'pgsql' => 'WITHOUT OIDS')));
- $upgrade[] = Array('CreateIndexSQL',Array('idx_project_version',config_get('mantis_project_version_table'),'project_id,version',Array('UNIQUE')));
-@@ -265,7 +265,7 @@
- type I NOTNULL,
- timestamp T NOTNULL,
- expiry T,
-- value XS NOTNULL",
-+ value XL NOTNULL",
- Array('mysql' => 'TYPE=MyISAM', 'pgsql' => 'WITHOUT OIDS')));
-
- $upgrade[] = Array('CreateTableSQL',Array(config_get('mantis_user_pref_table'),"
-@@ -313,7 +313,7 @@
- platform C(32) NOTNULL DEFAULT \" '' \",
- os C(32) NOTNULL DEFAULT \" '' \",
- os_build C(32) NOTNULL DEFAULT \" '' \",
-- description XS NOTNULL
-+ description XL NOTNULL
- ",Array('mysql' => 'TYPE=MyISAM', 'pgsql' => 'WITHOUT OIDS')));
-
- $upgrade[] = Array('CreateTableSQL',Array(config_get('mantis_user_table'),"
diff --git a/www-apps/mantisbt/files/mantisbt-1.0.8-avoid-XSS-in-file_api.php.patch b/www-apps/mantisbt/files/mantisbt-1.0.8-avoid-XSS-in-file_api.php.patch
deleted file mode 100644
index 274d9692fc1e..000000000000
--- a/www-apps/mantisbt/files/mantisbt-1.0.8-avoid-XSS-in-file_api.php.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-Index: core/file_api.php
-===================================================================
---- core/file_api.php (リビジョン 4833)
-+++ core/file_api.php (作業コピー)
-@@ -163,7 +163,7 @@
- $row = $t_attachment_rows[$i];
- extract( $row, EXTR_PREFIX_ALL, 'v' );
-
-- $t_file_display_name = file_get_display_name( $v_filename );
-+ $t_file_display_name = string_html_specialchars( file_get_display_name( $v_filename ) );
- $t_filesize = number_format( $v_filesize );
- $t_date_added = date( config_get( 'normal_date_format' ), db_unixtimestamp( $v_date_added ) );
-
diff --git a/www-apps/mantisbt/files/mantisbt-1.1.2-svn-5369:5587.patch b/www-apps/mantisbt/files/mantisbt-1.1.2-svn-5369:5587.patch
new file mode 100644
index 000000000000..5ef56e5fc727
--- /dev/null
+++ b/www-apps/mantisbt/files/mantisbt-1.1.2-svn-5369:5587.patch
@@ -0,0 +1,319 @@
+Index: doc/ChangeLog
+===================================================================
+--- doc/ChangeLog (revision 5369)
++++ doc/ChangeLog (revision 5587)
+@@ -2,6 +2,8 @@
+
+ 2008.06.17 - 1.1.2
+ ====================
++This release focused on fixing few security issues; also includes assorted fixes for translations, usability and compatibility (most notably, with postgres) and a nasty memory leak on the string API causing incomplete rendering of pages. All users are advised to upgrade.
++
+ - 0008974: [security] XSS Vulnerability in filters (thraxisp) - closed.
+ - 0008975: [security] CSRF Vulnerabilities in user_create (jreese) - closed.
+ - 0008976: [security] Remote Code Execution in adm_config (giallu) - closed.
+Index: config_defaults_inc.php
+===================================================================
+--- config_defaults_inc.php (revision 5369)
++++ config_defaults_inc.php (revision 5587)
+@@ -149,6 +149,9 @@
+ # 'memcached' -> Memcached storage sessions
+ $g_session_handler = 'php';
+
++ # Session save path. If false, uses default value as set by session handler.
++ $g_session_save_path = false;
++
+ #############################
+ # Configuration Settings
+ #############################
+@@ -1938,4 +1941,4 @@
+
+ # The twitter account password.
+ $g_twitter_password = '';
+-?>
++
+Index: bug_graph_bystatus.php
+===================================================================
+--- bug_graph_bystatus.php (revision 5369)
++++ bug_graph_bystatus.php (revision 5587)
+@@ -148,6 +148,8 @@
+ }
+
+ ksort($t_view_status);
++ $t_label_string = lang_get('orct'); //use the (open/resolved/closed/total) label
++ $t_label_strings = explode('/', substr($t_label_string, 1, strlen($t_label_string)-2));
+
+ // add headers for table
+ if ($f_show_as_table) {
+@@ -159,9 +161,9 @@
+ html_body_begin();
+ echo '<table class="width100"><tr><td></td>';
+ if ($f_summary) {
+- echo '<th>' . lang_get_defaulted('open') . '</th>';
+- echo '<th>' . lang_get_defaulted('resolved') . '</th>';
+- echo '<th>' . lang_get_defaulted('closed') . '</th>';
++ echo '<th>' . $t_label_strings[0] . '</th>';
++ echo '<th>' . $t_label_strings[1] . '</th>';
++ echo '<th>' . $t_label_strings[2] . '</th>';
+ } else {
+ foreach ( $t_view_status as $t_status => $t_label ) {
+ echo '<th>'.$t_label.' ('.$t_status.')</th>';
+@@ -176,9 +178,9 @@
+ $t_labels = array();
+ $i = 0;
+ if ($f_summary) {
+- $t_labels[++$i] = lang_get_defaulted('open');
+- $t_labels[++$i] = lang_get_defaulted('resolved');
+- $t_labels[++$i] = lang_get_defaulted('closed');
++ $t_labels[++$i] = $t_label_strings[0];
++ $t_labels[++$i] = $t_label_strings[1];
++ $t_labels[++$i] = $t_label_strings[2];
+ } else {
+ foreach ( $t_view_status as $t_status => $t_label ) {
+ $t_labels[++$i] = isset($t_status_labels[$t_status]) ? $t_status_labels[$t_status] : lang_get_defaulted($t_label);
+@@ -228,6 +230,6 @@
+ html_body_end();
+ html_end();
+ } else {
+- graph_bydate( $t_metrics, $t_labels, lang_get( 'by_category' ), $f_width, $f_width * $t_ar );
++ graph_bydate( $t_metrics, $t_labels, lang_get( 'by_status' ), $f_width, $f_width * $t_ar );
+ }
+ ?>
+\ No newline at end of file
+Index: manage_user_prune.php
+===================================================================
+--- manage_user_prune.php (revision 5369)
++++ manage_user_prune.php (revision 5587)
+@@ -1,4 +1,4 @@
+-2<?php
++<?php
+ # Mantis - a php based bugtracking system
+
+ # Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org
+Index: manage_proj_edit_page.php
+===================================================================
+--- manage_proj_edit_page.php (revision 5369)
++++ manage_proj_edit_page.php (revision 5587)
+@@ -527,7 +527,8 @@
+ <td class="center">
+ <?php
+ # You need global permissions to edit custom field defs
+- print_button( "manage_proj_custom_field_remove.php?field_id={$t_field_id}&amp;project_id={$f_project_id}", lang_get( 'remove_link' ) );
++ $t_remove_token = form_security_param( 'manage_proj_custom_field_remove' );
++ print_button( "manage_proj_custom_field_remove.php?field_id={$t_field_id}&amp;project_id={$f_project_id}$t_remove_token", lang_get( 'remove_link' ) );
+ ?>
+ </td>
+ </tr>
+Index: core/bug_api.php
+===================================================================
+--- core/bug_api.php (revision 5369)
++++ core/bug_api.php (revision 5587)
+@@ -1264,9 +1264,6 @@
+ # the relationship type is already set. Nothing to do
+ }
+ else if ( $t_id_relationship > 0 ) {
+- # there is already a relationship between them -> we have to update it and not to add a new one
+- helper_ensure_confirmed( lang_get( 'replace_relationship_sure_msg' ), lang_get( 'replace_relationship_button' ) );
+-
+ # Update the relationship
+ relationship_update( $t_id_relationship, $p_bug_id, $p_duplicate_id, BUG_DUPLICATE );
+
+Index: core/print_api.php
+===================================================================
+--- core/print_api.php (revision 5369)
++++ core/print_api.php (revision 5587)
+@@ -304,7 +304,7 @@
+ ?>
+ <input type="hidden" id="tag_separator" value="<?php echo config_get( 'tag_separator' ) ?>" />
+ <input type="text" name="tag_string" id="tag_string" size="40" value="<?php echo string_attribute( $p_string ) ?>" />
+- <select <?php echo helper_get_tab_index() ?> name="tag_select" id="tag_select">
++ <select <?php echo helper_get_tab_index() ?> name="tag_select" id="tag_select" onchange="tag_string_append( this.options[ this.selectedIndex ].text );">
+ <?php print_tag_option_list( $p_bug_id ); ?>
+ </select>
+ <?php
+@@ -334,7 +334,7 @@
+
+ echo '<option value="0">',lang_get( 'tag_existing' ),'</option>';
+ while ( $row = db_fetch_array( $result ) ) {
+- echo '<option value="',$row['id'],'" onclick="tag_string_append(\'',$row['name'],'\')">',$row['name'],'</option>';
++ echo '<option value="',$row['id'],'">',$row['name'],'</option>';
+ }
+ }
+
+Index: core/user_api.php
+===================================================================
+--- core/user_api.php (revision 5369)
++++ core/user_api.php (revision 5587)
+@@ -655,10 +655,22 @@
+ } else {
+ $t_default_image = config_get( 'default_avatar' );
+ $t_size = 80;
+- $t_avatar_url = "http://www.gravatar.com/avatar.php?gravatar_id=" . md5( $t_email ) .
+- "&amp;default=" . urlencode( $t_default_image ) .
+- "&amp;size=" . $t_size .
+- "&amp;rating=G";
++
++ $t_use_ssl = false;
++ if ( isset( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
++ $t_use_ssl = true;
++ }
++
++ if ( !$t_use_ssl ) {
++ $t_gravatar_domain = 'http://www.gravatar.com/';
++ } else {
++ $t_gravatar_domain = 'https://secure.gravatar.com/';
++ }
++
++ $t_avatar_url = $t_gravatar_domain . 'avatar.php?gravatar_id=' . md5( $t_email ) .
++ '&amp;default=' . urlencode( $t_default_image ) .
++ '&amp;size=' . $t_size .
++ '&amp;rating=G';
+ $t_result = array( $t_avatar_url, $t_size, $t_size );
+ }
+
+Index: core/bugnote_api.php
+===================================================================
+--- core/bugnote_api.php (revision 5369)
++++ core/bugnote_api.php (revision 5587)
+@@ -99,7 +99,7 @@
+ # Add a bugnote to a bug
+ #
+ # return the ID of the new bugnote
+- function bugnote_add ( $p_bug_id, $p_bugnote_text, $p_time_tracking = '0:00', $p_private = false, $p_type = 0, $p_attr = '', $p_user_id = null ) {
++ function bugnote_add ( $p_bug_id, $p_bugnote_text, $p_time_tracking = '0:00', $p_private = false, $p_type = 0, $p_attr = '', $p_user_id = null, $p_send_email = TRUE ) {
+ $c_bug_id = db_prepare_int( $p_bug_id );
+ $c_bugnote_text = db_prepare_string( $p_bugnote_text );
+ $c_time_tracking = db_prepare_time( $p_time_tracking );
+Index: core/session_api.php
+===================================================================
+--- core/session_api.php (revision 5369)
++++ core/session_api.php (revision 5587)
+@@ -49,6 +49,15 @@
+ */
+ class MantisPHPSession extends MantisSession {
+ function __construct() {
++ $t_session_save_path = config_get_global( 'session_save_path' );
++ if ( $t_session_save_path ) {
++ session_save_path( $t_session_save_path );
++ }
++
++ session_cache_limiter( 'private_no_expire' );
++ if ( isset( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
++ session_set_cookie_params( 0, config_get( 'cookie_path' ), config_get( 'cookie_domain' ), true, true );
++ }
+ session_start();
+ $this->id = session_id();
+ }
+Index: core/string_api.php
+===================================================================
+--- core/string_api.php (revision 5369)
++++ core/string_api.php (revision 5587)
+@@ -306,7 +306,7 @@
+ if ( !isset( $string_process_bug_link_callback[$p_include_anchor][$p_detail_info][$p_fqdn] ) ) {
+ if ($p_include_anchor) {
+ $string_process_bug_link_callback[$p_include_anchor][$p_detail_info][$p_fqdn] = create_function('$p_array','
+- if (bug_exists( (int)$p_array[2] ) ) {
++ if ( bug_exists( (int)$p_array[2] ) && access_has_bug_level( VIEWER, (int)$p_array[2] ) ) {
+ return $p_array[1] . string_get_bug_view_link( (int)$p_array[2], null, ' . ($p_detail_info ? 'true' : 'false') . ', ' . ($p_fqdn ? 'true' : 'false') . ');
+ } else {
+ return $p_array[0];
+Index: bug_update.php
+===================================================================
+--- bug_update.php (revision 5369)
++++ bug_update.php (revision 5587)
+@@ -31,8 +31,6 @@
+ require_once( $t_core_path.'bugnote_api.php' );
+ require_once( $t_core_path.'custom_field_api.php' );
+
+- form_security_validate( 'bug_update' );
+-
+ $f_bug_id = gpc_get_int( 'bug_id' );
+ $f_update_mode = gpc_get_bool( 'update_mode', FALSE ); # set if called from generic update page
+ $f_new_status = gpc_get_int( 'status', bug_get_field( $f_bug_id, 'status' ) );
+@@ -140,6 +138,8 @@
+ }
+ }
+
++ form_security_validate( 'bug_update' );
++
+ $t_notify = true;
+ $t_bug_note_set = false;
+ if ( ( $t_old_bug_status != $t_bug_data->status ) && ( FALSE == $f_update_mode ) ) {
+Index: manage_config_work_threshold_page.php
+===================================================================
+--- manage_config_work_threshold_page.php (revision 5369)
++++ manage_config_work_threshold_page.php (revision 5587)
+@@ -322,6 +322,7 @@
+
+ if ( $t_show_submit && ( 0 < count( $t_overrides ) ) ) {
+ echo "<div class=\"right\"><form name=\"threshold_config_action\" method=\"post\" action=\"manage_config_revert.php\">\n";
++ echo form_security_field( 'manage_config_revert' );
+ echo "<input name=\"revert\" type=\"hidden\" value=\"" . implode( ',', $t_overrides ) . "\"></input>";
+ echo "<input name=\"project\" type=\"hidden\" value=\"$t_project_id\"></input>";
+ echo "<input name=\"return\" type=\"hidden\" value=\"" . $_SERVER['PHP_SELF'] ."\"></input>";
+Index: adm_config_set.php
+===================================================================
+--- adm_config_set.php (revision 5369)
++++ adm_config_set.php (revision 5587)
+@@ -81,7 +81,7 @@
+ # 2. simple arrays with the form: array( a, b, c, d )
+ # 3. associative arrays with the form: array( a=>1, b=>2, c=>3, d=>4 )
+ $t_full_string = trim( $f_value );
+- if ( preg_match('/array\((.*)\)/', $t_full_string, $t_match ) === 1 ) {
++ if ( preg_match('/array[\s]*\((.*)\)/', $t_full_string, $t_match ) === 1 ) {
+ // we have an array here
+ $t_values = split( ',', trim( $t_match[1] ) );
+ foreach ( $t_values as $key => $value ) {
+Index: roadmap_page.php
+===================================================================
+--- roadmap_page.php (revision 5369)
++++ roadmap_page.php (revision 5587)
+@@ -195,7 +195,7 @@
+ $t_issue_id = $t_issue_ids[$k];
+ $t_issue_parent = $t_issue_parents[$k];
+
+- if ( in_array( $t_issue_id, $t_cycle_ids ) || in_array( $t_parent_id, $t_cycle_ids ) ) {
++ if ( in_array( $t_issue_id, $t_cycle_ids ) || in_array( $t_issue_parent, $t_cycle_ids ) ) {
+ $t_cycle = true;
+ } else {
+ $t_cycle = false;
+Index: core.php
+===================================================================
+--- core.php (revision 5369)
++++ core.php (revision 5587)
+@@ -144,15 +144,33 @@
+ # OPENED ANYWHERE ELSE.
+ require_once( $t_core_path.'database_api.php' );
+
++ # Basic browser detection
++ $t_user_agent = $_SERVER['HTTP_USER_AGENT'];
++
++ $t_browser_name = 'Normal';
++ if ( strpos( $t_user_agent, 'MSIE' ) ) {
++ $t_browser_name = 'IE';
++ }
++
+ # Headers to prevent caching
+ # with option to bypass if running from script
+ global $g_bypass_headers, $g_allow_browser_cache;
+ if ( !isset( $g_bypass_headers ) && !headers_sent() ) {
+- if ( ! isset( $g_allow_browser_cache ) ) {
+- header( 'Pragma: no-cache' );
++
++ if ( isset( $g_allow_browser_cache ) ) {
++ switch ( $t_browser_name ) {
++ case 'IE':
++ header( 'Cache-Control: private, proxy-revalidate' );
++ break;
++ default:
++ header( 'Cache-Control: private, must-revalidate' );
++ break;
++ }
++
++ } else {
+ header( 'Cache-Control: no-store, no-cache, must-revalidate' );
+- header( 'Cache-Control: post-check=0, pre-check=0', false );
+ }
++
+ header( 'Expires: ' . gmdate( 'D, d M Y H:i:s \G\M\T', time() ) );
+
+ # SEND USER-DEFINED HEADERS