| ../irclogs/#mantishelp.2009-06-29.log | ||
| --- scribe started --- | 00:00 | |
| mantisbot | New bug: Bug 10637 - krejcim - open - new | 07:41 |
|---|---|---|
| mantisbot | New bug: Option Attach Tags in View Issues page - http://www.mantisbt.org/bugs/view.php?id=10637 | 07:41 |
| mantisbot | New bug: Bug 10638 - krejcim - open - new | 08:01 |
| mantisbot | New bug: Units of file size can not translate - http://www.mantisbt.org/bugs/view.php?id=10638 | 08:01 |
| mantisbot | New bug: Bug 10639 - krejcim - open - new | 08:21 |
| mantisbot | New bug: Inserting and displaying news - http://www.mantisbt.org/bugs/view.php?id=10639 | 08:21 |
| mantisbot | New bug: Bug 10640 - krejcim - open - new | 08:21 |
| mantisbot | New bug: Assign Project Documentation file to project - http://www.mantisbt.org/bugs/view.php?id=10640 | 08:21 |
| mantisbot | New bug: Bug 10641 - krejcim - open - new | 08:31 |
| mantisbot | New bug: Wrong interpretation of break line characters - http://www.mantisbt.org/bugs/view.php?id=10641 | 08:31 |
| dhx_m | we're under attack! | 08:39 |
| mantisbot | New bug: Bug 10642 - Buga - open - new | 08:41 |
| mantisbot | New bug: Get time tracking information raises Application error 200 - http://www.mantisbt.org/bugs/view.php?id=10642 | 08:41 |
| mantisbot | New bug: Bug 10643 - krejcim - open - new | 08:41 |
| mantisbot | New bug: Format of bug ID - http://www.mantisbt.org/bugs/view.php?id=10643 | 08:41 |
| Heady| | Hi I just upgraded my testsystem to mantis 1.2rc. When I add ned tickets line breaks in text area fileds are missing in the bug reports. Notes still work like expected. Any idea whats wrong here? | 08:47 |
| mantisbot | New bug: Bug 10644 - krejcim - open - new | 08:51 |
| mantisbot | New bug: Date filters with international format - http://www.mantisbt.org/bugs/view.php?id=10644 | 08:51 |
| dhx_m | Heady|: hi | 08:58 |
| Heady| | hi | 09:01 |
| dhx_m | Heady|: I'll test that out | 09:02 |
| Heady| | The mantisbt tracker dont have this problem | 09:02 |
| Heady| | I upgraded from 1.1.1 | 09:02 |
| dhx_m | line breaks work fine for me in the description field | 09:04 |
| dhx_m | what locale/language do you use? | 09:04 |
| dhx_m | also which browser? | 09:04 |
| Heady| | german | 09:10 |
| Heady| | and ie 7 | 09:10 |
| Heady| | i will test in firefox | 09:10 |
| Heady| | same for ff | 09:12 |
| Heady| | when I want to update the ticket the linebreaks in the text area are still there but in the normal view all linebreaks are erased. | 09:13 |
| dhx_m | so if you had 4 blank lines, they'd show as one when viewing the bug? | 09:13 |
| Heady| | jep | 09:13 |
| Heady| | test | 09:14 |
| dhx_m | are you able to view the source of the html | 09:14 |
| Heady| | yes | 09:14 |
| dhx_m | and find out if there is a <br /> for the line break? | 09:14 |
| Heady| | no br | 09:15 |
| Heady| | <textarea tabindex="10" cols="80" rows="10" name="description">test | 09:15 |
| Heady| | test | 09:15 |
| Heady| | test</textarea> | 09:15 |
| dhx_m | I think we're talking about different things now | 09:15 |
| Heady| | the linebreaks are in the html but without br | 09:15 |
| Heady| | are we? | 09:15 |
| dhx_m | textarea (a white box) is where you edit the bug | 09:15 |
| Heady| | you mean the php file? | 09:15 |
| dhx_m | whereas I was thinking that you were referring to view.php where you can see the text as if it were any other normal webpage | 09:16 |
| Heady| | oh my fault | 09:16 |
| Heady| | i checked the wrong page and simply copyed the past without noticing this | 09:16 |
| dhx_m | so you click on the edit/update issue button and get a description field without blank lines? | 09:16 |
| Heady| | <td colspan="5"> | 09:17 |
| Heady| | test | 09:17 |
| Heady| | test | 09:17 |
| Heady| | test</td> | 09:17 |
| Heady| | tahst the one you asked for | 09:17 |
| dhx_m | yeah that looks better | 09:17 |
| dhx_m | for view.php? | 09:17 |
| Heady| | yes | 09:17 |
| dhx_m | hmm it seems you might be on to something here | 09:19 |
| dhx_m | nope... was just me | 09:20 |
| Heady| | its quite strange that the notes still have the line breaks | 09:20 |
| dhx_m | hmm | 09:21 |
| dhx_m | I can't reproduce this | 09:22 |
| dhx_m | let me try setting the language to German | 09:22 |
| Heady| | hopefully you can set it back with german language :D | 09:23 |
| dhx_m | I'm just using a test install so I don't mind deleting the whole database if it breaks :) | 09:23 |
| Heady| | I tryed it with enlgish language and got the same behaviour | 09:26 |
| Heady| | hmm sorry but I have to leave now I will try to come back to irc in 15-20 minutes | 09:27 |
| Heady| | hi dhx_m | 09:45 |
| Heady| | any progress ? | 09:45 |
| dhx_m | I'm not sure where to start | 09:46 |
| dhx_m | what database do you use? | 09:46 |
| Heady| | mysql | 09:50 |
| Heady| | unix platform | 09:51 |
| dhx_m | does it affect both the simple and advanced view pages? | 09:54 |
| Heady|| | back | 09:54 |
| dhx_m | ok | 09:55 |
| dhx_m | does it affect both the simple and advanced view pages? | 09:55 |
| Heady| | yes both views | 10:02 |
| Heady| | ok I have to correct me :D It only appears in the simple view | 10:12 |
| Heady| | in the advanced view the line breaks are there | 10:12 |
| ihmSelbst | hi all | 11:52 |
| ihmSelbst | how can i link issues? When i click on "View Issues" i can see "P", "ID", "#" and other.. Is it possible to add an automatic nummeration in "#" so i can link from other tickets? | 11:55 |
| ihmSelbst | nobody can help me? | 11:58 |
| nuclear_eclipse | good morning dhx_m :P | 12:43 |
| dhx_m | hi :) | 12:44 |
| dhx_m | nuclear_eclipse: we got a barrage of bug reports before :o | 13:21 |
| mantisbot | New bug: Bug 10645 - darthmal - open - new | 13:43 |
| mantisbot | New bug: ok - http://www.mantisbt.org/bugs/view.php?id=10645 | 13:43 |
| dhx_m | sniped | 13:44 |
| nuclear_eclipse | dhx_m: I noticed | 13:44 |
| dhx_m | haha got to be quick :p | 13:44 |
| dhx_m | nuclear_eclipse: do you have any thoughts on the possibility of changing CSRF to store all required information with the form that is sent | 13:54 |
| dhx_m | nuclear_eclipse: rather than keep a server/client state | 13:54 |
| dhx_m | nuclear_eclipse: ie. use a secret hashed with a nonce, etc | 13:55 |
| dhx_m | nuclear_eclipse: it wouldn't be single use I guess | 13:55 |
| dhx_m | but I'm not sure that matters? | 13:55 |
| Heady|| | you got any idea about my problem dhx_m? The mantisbt tracker dont use the simple view so perhaps the bug is there too? | 13:55 |
| dhx_m | Heady||: have you customised config_inc or any of the custom_ files much? | 13:56 |
| Heady|| | define mutch;) I checked it and found no options linked to this problem | 13:57 |
| dhx_m | I'm not too sure what part of Mantis converts linebreaks to <br /> | 13:58 |
| dhx_m | I imagine it is done before sending to the client each time | 13:58 |
| Heady|| | I think that the whole storeing process is ok | 13:58 |
| Heady|| | but the rendering when I open the page fails | 13:58 |
| dhx_m | well you can check if you know how to access your database manually? | 13:59 |
| Heady|| | I planned to compare the code for simple and advanced view tomorrow | 13:59 |
| dhx_m | simple view doesn't work... advanced view does? | 13:59 |
| Heady|| | sure I know but as I can see the linebreaks in the advanced mode I am sure they are there :D | 13:59 |
| Heady|| | yes | 13:59 |
| dhx_m | ohhh that helps | 13:59 |
| dhx_m | let me see | 13:59 |
| Heady|| | Also I see them when I want to edit | 13:59 |
| dhx_m | ok | 13:59 |
| Heady|| | so there must be a dif between this 2 files | 14:00 |
| Heady|| | atm I dont have time to check it but i will do this tomorrow or wednesday | 14:00 |
| dhx_m | there is a difference | 14:00 |
| dhx_m | one uses string_display_line_links... the other uses string_display_links | 14:00 |
| Heady|| | hmm question is why ;) | 14:01 |
| Heady|| | looks like a bug or | 14:01 |
| dhx_m | I'm checking it now | 14:01 |
| Heady|| | i gues string_display_line_links is for advanced | 14:02 |
| dhx_m | other way actually | 14:02 |
| Heady|| | ok:D | 14:02 |
| Heady|| | perhaps the second one is for normal input fields and someone mixed them up | 14:03 |
| dhx_m | yep I think so | 14:03 |
| dhx_m | it's interesting that I can't reproduce | 14:03 |
| Heady|| | you have the rc? | 14:03 |
| Heady|| | or nightly build | 14:03 |
| dhx_m | actually I can reproduce | 14:04 |
| dhx_m | :) | 14:04 |
| dhx_m | this'll be an easy fix | 14:04 |
| dhx_m | thanks for reporting :) | 14:04 |
| Heady|| | :) | 14:04 |
| Heady|| | will there be a new rc version? | 14:04 |
| Heady|| | or do I only have to replace one file | 14:04 |
| dhx_m | the part that made it easy for me to understand was when you said advanced = ok, simple = not ok | 14:04 |
| dhx_m | just one file | 14:04 |
| dhx_m | but yeah, they'll be another release soon | 14:05 |
| dhx_m | or you can pull the latest copy from git.mantisbt.org | 14:05 |
| Heady|| | I also reported a bug about time tracking | 14:05 |
| Heady|| | http://www.mantisbt.org/bugs/view.php?id=10642 | 14:06 |
| Heady|| | just as info :D | 14:06 |
| dhx_m | thanks I'll look at that too | 14:07 |
| Heady|| | Just read the whole config today and found these new options. my company asked often for that feature | 14:08 |
| dhx_m | which options? :) | 14:09 |
| dhx_m | time tracking? | 14:09 |
| Heady|| | yes | 14:10 |
| Heady|| | before we used mantis 1.1.1 so its new for me :D | 14:10 |
| dhx_m | ah I see :) | 14:10 |
| dhx_m | I use the inbuilt time tracking as well | 14:10 |
| dhx_m | nuclear_eclipse has an alternative at git.mantisforge.org as a plugin | 14:11 |
| dhx_m | in my case I was already using the built in one so couldn't be bothered switching :p | 14:11 |
| Heady|| | will check that | 14:11 |
| Heady|| | btw are there any docs for the provided plugins? for example I tested 2-3 times to import issues with the expor/import plugin | 14:13 |
| Heady|| | but i dont know how the file should look like | 14:13 |
| mantisbot | New bug: Bug 10646 - dhx - open - assigned | 14:13 |
| mantisbot | New bug: Simple view shows description, additional info, steps to reproduce as single lines of text only - http://www.mantisbt.org/bugs/view.php?id=10646 | 14:13 |
| CIA-18 | Mantisbt: hickseydr * r37171c8c5c83 /bug_view_page.php: Fix #10646: description printed as single line | 14:17 |
| CIA-18 | Mantisbt: hickseydr master-1.2.x * rf78881980d4d /bug_view_page.php: Fix #10646: description printed as single line | 14:19 |
| dhx_m | all fixed thanks... you can grab the latest 1.2.x version at http://git.mantisbt.org/?p=mantisbt.git;a=snapshot;h=master-1.2.x;sf=tgz | 14:19 |
| dhx_m | I'm not too sure about plugin docs | 14:19 |
| dhx_m | check out docbook/developers/en/plugins.sgml | 14:20 |
| Heady|| | you changed more than one file? | 14:21 |
| dhx_m | we have a development branch (1.3.x) as well as the soon-to-be-stable branch (1.2.x) | 14:21 |
| dhx_m | hence the two commits | 14:21 |
| Heady|| | ok will check this later. dont have access from here to my mantis :D | 14:21 |
| Heady|| | any new features planned for 1.3? | 14:22 |
| dhx_m | the best place to be watching is http://git.mantisbt.org/?p=mantisbt.git;a=shortlog;h=refs/heads/master | 14:24 |
| dhx_m | and: http://www.mantisbt.org/bugs/roadmap_page.php | 14:24 |
| dhx_m | it's a bit early to say what will happen yet :) | 14:25 |
| Heady|| | :D I just waited for 1.2 for the plugin system | 14:27 |
| nuclear_eclipse | dhx_m: biggest problem I see with your method is that losing the randomness makes it easier to attack | 14:28 |
| dhx_m | nuclear_eclipse: that is why you have the nonce... that is your randomness :) | 14:28 |
| dhx_m | nuclear_eclipse: the form would have two fields: "nonce=xzfhouweyf8972y9r32ho" and "key=sapiwsfjiwpefjwpieruj" | 14:29 |
| nuclear_eclipse | you're not catching my drift - if the client has all of the info about how the hash is formed, anyone can forge a request with the appropriate pieces of the hash | 14:29 |
| dhx_m | nuclear_eclipse: the key is calculated by the server to be hash(nonce+form_type+userid+whatever_the_server_knows) | 14:30 |
| dhx_m | sorry... the server has a secret too | 14:30 |
| dhx_m | that only the server knows | 14:30 |
| nuclear_eclipse | isn't that what the token is? :P | 14:30 |
| dhx_m | yep but not single use | 14:30 |
| dhx_m | at the moment the server has to remember lots of forms in session data | 14:30 |
| dhx_m | I'm not sure that is the best way of doing it, especially with 3 day timeout | 14:31 |
| dhx_m | because once I fix CSRF, we're going to be generating tokens on each bug view page where the user has the ability to edit/close/etc a bug | 14:31 |
| dhx_m | well... for single click actions | 14:31 |
| dhx_m | if there are any | 14:31 |
| nuclear_eclipse | well, if the server is storing some secret, what's the point of the nonce? | 14:31 |
| dhx_m | the ability to set timeouts on forms? | 14:32 |
| dhx_m | not sure why we really need that | 14:32 |
| dhx_m | a lot of CSRF protection just uses the PHP sessionid as the form secret token | 14:33 |
| dhx_m | and then compares it against the actual sessionid | 14:33 |
| dhx_m | if there is a difference, you have been CSRF'd | 14:33 |
| dhx_m | I'd rather the form token be a hash of the session ID though | 14:34 |
| nuclear_eclipse | I have a feeling session id is too vulnerable | 14:34 |
| dhx_m | as the page may be cached somewhere | 14:34 |
| dhx_m | can't we set our own session ID in PHP? | 14:35 |
| nuclear_eclipse | I'd rather ignore session id altogether | 14:35 |
| nuclear_eclipse | yes, but I'd really prefer to touch PHP session stuff as little as possible | 14:35 |
| nuclear_eclipse | however, your idea for using a stateless form validation is at least interesting.... | 14:35 |
| dhx_m | I just think it takes the burden off the server... which is better for scalability | 14:36 |
| dhx_m | and speed... (no looping through a massive list of session hashes to find the right one) | 14:37 |
| nuclear_eclipse | if we used the current form name as a server-side "nonce" + some other server "secret" (somehow), that would allow the form_* interface to remain the same while removing the need for storing all that data in the session... | 14:37 |
| dhx_m | assuming of course that it isn't a hashmap :) | 14:37 |
| dhx_m | yep, it only needs a change to forms_api | 14:37 |
| nuclear_eclipse | my biggest concern is how to get the server secret | 14:38 |
| dhx_m | for crypto reasons I think it may need to be generated separately for each user? | 14:38 |
| nuclear_eclipse | right, that's what worries me :P | 14:39 |
| dhx_m | my main concern is with anonymous users | 14:39 |
| dhx_m | and making sure that doesn't break ;) | 14:39 |
| dhx_m | that is why I suggested PHP session id's in some way | 14:39 |
| dhx_m | because we also need to prevent CSRF for anonymous users who don't have a proper unique user | 14:40 |
| dhx_m | we could also just go the ghetto approach of having a single secret stored in config_inc | 14:41 |
| dhx_m | but then we'd still need to identify anonymous users by some sort of session info when anonymous writing/editing is enabled | 14:42 |
| nuclear_eclipse | well, I don't see how CSRF could ever be an issue for anonymous users... | 14:42 |
| nuclear_eclipse | ie, the whole point of CSRF is to exploit a user's existing credentials/authority with a site to do malicious things -- anonymous users have no credentials or authority in the first place... | 14:42 |
| dhx_m | well a malicious site could get any old anonymous users to mass spam a whole bunch of Mantis installations | 14:42 |
| dhx_m | hence giving the attacker 1000's of IPs to spam from... making it hard to block | 14:43 |
| dhx_m | unless we require human verification from anonymous users on every action... they're going to need CSRF protection | 14:44 |
| nuclear_eclipse | well, right, I didn't mean that we shouldn't have any CSRF protection for anonymous users -- I meant that Mantis treats an anonymous user just the same as any other, so I'm not sure what else we would need to do | 14:44 |
| dhx_m | well we just need to make sure that one anonymous user with a valid session can't farm a whole bunch of tokens | 14:45 |
| dhx_m | and then later use those tokens to launch their CSRF attack | 14:45 |
| nuclear_eclipse | actually, the best thing that I can think of is to auto-generate a single secret string in the user's php session, and use that as the secret | 14:45 |
| dhx_m | yep that'd work fine | 14:45 |
| dhx_m | if we're concerned about the PHP session ID not containing enough entropy | 14:45 |
| nuclear_eclipse | it's not the entropy that worries me about the session id, it's possibilities of session fixation because the id is getting passed around in the clear | 14:46 |
| dhx_m | although I thought we could just set the PHP session ID ourselves via http://au.php.net/manual/en/function.session-id.php | 14:46 |
| nuclear_eclipse | by storing a secret string in the session itself, only the server can ever see/know the secret | 14:46 |
| dhx_m | oh I see | 14:47 |
| dhx_m | my bad heh | 14:47 |
| dhx_m | wasn't thinking :p | 14:47 |
| dhx_m | I'm all for that idea then | 14:47 |
| nuclear_eclipse | the biggest issue is coming up with random-enough data to generate an appropriate secret for each new session | 14:47 |
| nuclear_eclipse | so I'm thinking hash(user_ip + user_id + time) ? | 14:48 |
| dhx_m | all predictable though | 14:48 |
| nuclear_eclipse | right | 14:48 |
| dhx_m | hard to guess still :) | 14:49 |
| dhx_m | I guess the question is whether we actually need a new form token each time | 14:49 |
| dhx_m | seeing as we don't keep any state, I guess there is no point | 14:49 |
| nuclear_eclipse | afk | 14:50 |
| dhx_m | k | 14:50 |
| mantisbot | New bug: Bug 10647 - kc - open - new | 14:58 |
| mantisbot | New bug: Can not close a problem - http://www.mantisbt.org/bugs/view.php?id=10647 | 14:58 |
| mantisbot | New bug: Bug 10648 - LokeshDhingra - open - new | 14:58 |
| mantisbot | New bug: Fab Connect Bug Tracker - http://www.mantisbt.org/bugs/view.php?id=10648 | 14:58 |
| CIA-18 | Mantisbt: hickseydr master-1.2.x * raa047fe3657a / (core/print_api.php lang/strings_english.txt): Fix #10638: allow 'bytes' to be translated | 15:26 |
| CIA-18 | Mantisbt: hickseydr * r5affdcfc3f26 / (core/print_api.php lang/strings_english.txt): Fix #10638: allow 'bytes' to be translated | 15:27 |
| mantisbot | New bug: Bug 10649 - timj - open - new | 15:34 |
| mantisbot | New bug: Adding bug note via SOAP API fails if project has single quotes in name - http://www.mantisbt.org/bugs/view.php?id=10649 | 15:34 |
| Reapazor | so random problem : i have an updator trying to reopen a resolved bug | 15:53 |
| Reapazor | and its giving him access denied | 15:53 |
| paul_ | moo | 17:31 |
| nuclear_eclipse | howdy | 17:35 |
| nuclear_eclipse | dhx_m: back | 17:35 |
| paul_ | nuclear_eclipse: hows you? | 17:44 |
| nuclear_eclipse | alright | 17:45 |
| paul_ | bugs in 1.1.8 we do what with? | 17:47 |
| nuclear_eclipse | depends on severity | 17:47 |
| paul_ | asisgn to john | 17:48 |
| nuclear_eclipse | pretty much :P | 17:48 |
| Kirill_Krasnov | hi | 18:27 |
| [KK]Kirill | hi all | 18:28 |
| [KK]Kirill | I can unpack one file from tar-arch without unpacking all files? | 18:28 |
| * [KK]Kirill slaps paul_ around a bit with a large trout | 18:30 | |
| * [KK]Kirill slaps nuclear_eclipse around a bit with a large trout | 18:30 | |
| mantisbot | New bug: Bug 10650 - bpfennig - open - new | 18:35 |
| mantisbot | New bug: Mantis ignore e-mail notification setting for "e-mail on new" in account preferences - http://www.mantisbt.org/bugs/view.php?id=10650 | 18:35 |
| paul_ | anyone got a google voice invite? | 18:49 |
| [KK]Kirill | what? | 18:49 |
| nuclear_eclipse | paul_: wish I did | 19:03 |
| nuclear_eclipse | [KK]Kirill: a quick look through `man tar` doesn't turn up anything saying you can do that | 19:05 |
| [KK]Kirill | nuclear_eclipse: I start unpack all and break when needed file is unpacked | 19:05 |
| [KK]Kirill | nuclear_eclipse: tomorrow release php | 19:20 |
| paul_ | [KK]Kirill: yes | 19:28 |
| paul_ | 5.3.0 | 19:28 |
| Bran | what's a quick way to construct the IssueData data structed used to insert a new issue thru SOAP? | 20:07 |
| escamoteur | Hi, I'm evaluating mantis at the moment. My question ist: Is the feature voting already implemented? | 20:56 |
| escamoteur | motd | 21:04 |
| paul_ | not currently | 21:04 |
| escamoteur | that' sad, any Idea when this will be the case, or can it be simulated in some way? | 21:07 |
| Bran | does anyone know a page that shows some examples of how to use mantis's SOAP API? | 22:25 |
| nuclear_eclipse | Bran: my best suggestion is to look at Eclipse's Mylyn connector for Mantis | 22:26 |
Generated by irclog2html.py