| ../irclogs/#mantishelp.2009-12-06.log | ||
| --- scribe started --- | 00:00 | |
| nuclear_eclipse | hi paulr_ | 01:31 |
|---|---|---|
| nuclear_eclipse | what are you going batty over? | 01:32 |
| dhx_m | hi | 03:42 |
| dhx_m | nuclear_eclipse: he's always like that :p | 03:42 |
| paul__ | morning | 10:46 |
| paul__ | dhx_m: i've got a list :P | 10:46 |
| dhx_m | paul__: hi :) | 10:46 |
| dhx_m | paul__: woohoo :D | 10:46 |
| CIA-21 | Mantisbt: hickseydr * r26e2d3b6259a /core/html_api.php: Fix #11261: XSS in error output as MantisCoreFormatting isn't loaded | 11:50 |
| CIA-21 | Mantisbt: hickseydr master-1.2.x * rca638c79bf6a /core/html_api.php: Fix #11261: XSS in error output as MantisCoreFormatting isn't loaded | 11:50 |
| CIA-21 | Mantisbt: hickseydr * r538717ff083f /core/html_api.php: Add extra sanitisation to html_title() | 11:59 |
| CIA-21 | Mantisbt: hickseydr master-1.2.x * r908a1fb76308 /core/html_api.php: Add extra sanitisation to html_title() | 11:59 |
| CIA-21 | Mantisbt: hickseydr master-1.2.x * rf3d56d77594c /config_defaults_inc.php: Disallow admins from changing _page and _url settings | 12:41 |
| CIA-21 | Mantisbt: hickseydr * r8f95c9e3fb34 /config_defaults_inc.php: Disallow admins from changing _page and _url settings | 12:41 |
| CIA-21 | Mantisbt: hickseydr * ra2ae23486eec /core/print_api.php: Fix #11262: XSS issues in various print_X_option_list functions | 14:56 |
| CIA-21 | Mantisbt: hickseydr master-1.2.x * rce2c32727936 / (lang/strings_english.txt return_dynamic_filters.php): Fix #11263: Refactor and cleanup return_dynamic_filters.php | 14:56 |
| CIA-21 | Mantisbt: hickseydr * rf92e62ecfd9a / (lang/strings_english.txt return_dynamic_filters.php): Fix #11263: Refactor and cleanup return_dynamic_filters.php | 14:56 |
| CIA-21 | Mantisbt: hickseydr master-1.2.x * r21299299e175 /core/print_api.php: Fix #11262: XSS issues in various print_X_option_list functions | 14:56 |
| nuclear_eclipse | dhx_m: what erros would ever trigger before the plugin system is loaded? | 15:12 |
| dhx_m | nuclear_eclipse: I'm not too sure... just going by what I see... maybe plugins are unloaded upon an error? | 15:14 |
| nuclear_eclipse | shouldn't be | 15:18 |
| nuclear_eclipse | and afaik, nothing that loads before the plugin system will generate an errer messag... | 15:18 |
| dhx_m | hmmm | 15:20 |
| nuclear_eclipse | ie, there would have to be a trigger_error() somewhere between the loading of error_api and the loading of plugin_api, and that's only 4 apis... | 15:20 |
| nuclear_eclipse | helper, db, session, and events apis... | 15:20 |
| nuclear_eclipse | you can see that in core.php's bootstrap | 15:21 |
| nuclear_eclipse | I did a lot of work a while back after adding plugins to rearrange and clean up the bootstrap process to make plugins a) load earlier, and b) reduce the number of incidental API loads from core apis | 15:22 |
| dhx_m | hmm there are a few cases | 15:24 |
| dhx_m | for instance: | 15:24 |
| dhx_m | event_signal() | 15:24 |
| dhx_m | if( !isset( $g_event_cache[$p_name] ) ) { | 15:24 |
| dhx_m | error_parameters( $p_name ); | 15:24 |
| dhx_m | trigger_error( ERROR_EVENT_UNDECLARED, WARNING ); | 15:24 |
| dhx_m | return null; | 15:24 |
| dhx_m | } | 15:24 |
| paul__ | nuclear_eclipse: dhx is just opening can of worms :) | 15:24 |
| nuclear_eclipse | yes, but an event won't be signaled before plugins are loaded... | 15:25 |
| dhx_m | hmmm then I'm not sure | 15:25 |
| dhx_m | all I know is that print_project_menu_bar() had XSS errors and switching from string_display to string_html_specialchars fixed the problem | 15:26 |
| paul__ | and probably introduced another tpye of error | 15:26 |
| dhx_m | sample URL: http://localhost/mantis/return_dynamic_filters.php?view_type=simple&filter_target=fake | 15:26 |
| dhx_m | where you have a project name containing "<script>alert(60);</script>" | 15:27 |
| dhx_m | try without my patches from today | 15:27 |
| * nuclear_eclipse is trying | 15:27 | |
| dhx_m | ok | 15:27 |
| paul__ | I still think html api should use string_display | 15:28 |
| paul__ | :) | 15:28 |
| nuclear_eclipse | dhx_m: I'm not able to reproduce | 15:28 |
| nuclear_eclipse | oh, mantis stripped the <script> tag from the project name... | 15:28 |
| dhx_m | hmm | 15:29 |
| dhx_m | it doesn't strip it for me on manage_proj_edit_page.php | 15:30 |
| nuclear_eclipse | ok | 15:31 |
| nuclear_eclipse | when creating the project, it stripped it, but not when updating... | 15:31 |
| dhx_m | ok I'll fix that | 15:31 |
| nuclear_eclipse | I still can't reproduce the XSS error though | 15:31 |
| nuclear_eclipse | I get the error, but no alert | 15:31 |
| nuclear_eclipse | but then again | 15:32 |
| nuclear_eclipse | return_dynamic_filters doesn't output the project name anywhere... | 15:32 |
| dhx_m | yeah but the error page should print the horizontal project selector menu? | 15:32 |
| dhx_m | unless you have it disabled? | 15:32 |
| nuclear_eclipse | it doesn't to me... | 15:32 |
| dhx_m | ah | 15:33 |
| dhx_m | let me find the config option | 15:33 |
| nuclear_eclipse | oh, I have all my errors/warnings set to halt... | 15:33 |
| dhx_m | (you may need more than one project) | 15:33 |
| dhx_m | that's good | 15:33 |
| nuclear_eclipse | dhx_m: http://imgur.com/o35NQ.png | 15:33 |
| dhx_m | oh bad page example | 15:34 |
| dhx_m | actually, pick to | 15:34 |
| dhx_m | http://git.mantisbt.org/?p=mantisbt.git;a=commitdiff;h=f92e62ecfd9a6cb25a527eb1418fdf4c6553ae43 | 15:34 |
| dhx_m | that turns the errors into trigger_errors | 15:35 |
| nuclear_eclipse | I still have a hard time believing that you'll find an error message that will trigger before the plugin system is loaded... | 15:35 |
| dhx_m | it could be something else | 15:35 |
| dhx_m | grab the latest git master and revert http://git.mantisbt.org/?p=mantisbt.git;a=commit;h=26e2d3b6259a3f709012615e5bba174911e23043 | 15:35 |
| paul__ | event_signal( 'EVENT_LAYOUT_CONTENT_END' ); | 15:36 |
| * paul__ wonders | 15:36 | |
| paul__ | I think we just need a mantis error page | 15:36 |
| paul__ | that erm | 15:36 |
| paul__ | is more standard :P | 15:36 |
| paul__ | i.e. doesn't do plugin/rss and sorts of stuff | 15:36 |
| dhx_m | yeah | 15:36 |
| paul__ | so i'm partly thinking about pulling it out of html api atm | 15:38 |
| nuclear_eclipse | dhx_m: I'm just wondering what the potential downfall is of never calling string_display in some places.... | 15:38 |
| paul__ | some of the string_displays we've added, I didn't realise were needed | 15:38 |
| paul__ | also | 15:38 |
| * paul__ slaps nuclear_eclipse with a brick | 15:38 | |
| * nuclear_eclipse breaks paul__'s knees | 15:39 | |
| paul__ | dhx_m: have you fixed john's bug yet? | 15:39 |
| dhx_m | hmmm now I can't even reproduce it | 15:39 |
| dhx_m | let me check | 15:39 |
| nuclear_eclipse | what bug? | 15:39 |
| paul__ | 15:36 < dhx_m> grab the latest git master and revert http://git.mantisbt.org/?p=mantisbt.git;a=commit;h=26e2d3b6259a3f709012615e5bba174911e23043 | 15:40 |
| paul__ | can we just revert that? | 15:40 |
| paul__ | and fix it another way if the error page is an issue | 15:40 |
| dhx_m | I'm checking | 15:42 |
| nuclear_eclipse | I gotta go get some breakfast | 15:43 |
| nuclear_eclipse | cheres | 15:43 |
| dhx_m | nuclear_eclipse: I can reproduce it again in a different place | 15:52 |
| dhx_m | click "Update" at the bottom of manage_plugin_page.php | 15:52 |
| dhx_m | when you have ON == config_get( 'show_project_menu_bar' | 15:52 |
| dhx_m | my menu bar looks like: | 15:53 |
| dhx_m | All Projects | TestA<script>alert(52);</script>: 1.1<script>alert(57);</script>: 1.1.1 | TestB | 15:53 |
| dhx_m | and I get an alert popup for both 52 and 57 | 15:54 |
| dhx_m | I reset my local copy to Siebrand's last commit 964915c9db27702a4a42eb10117539350e9e4e02 | 15:54 |
| dhx_m | the projects in other words are "TestA<script>alert(52);</script>" | 15:55 |
| dhx_m | and under that, a subproject "1.1<script>alert(57);</script>" | 15:55 |
| dhx_m | paul__: the dynamic filter bug is fixed now AFAIK :) | 15:59 |
| paul__ | :) | 16:04 |
| paul__ | i'll check in a bit | 16:04 |
| paul__ | i've had to disable wincache for php | 16:04 |
| paul__ | i.e. MS's cache | 16:04 |
| dhx_m | ok well I've gtg for now | 16:04 |
| dhx_m | ah | 16:04 |
| paul__ | kk | 16:04 |
| dhx_m | let me know if there are any more things to fix | 16:04 |
| dhx_m | I already know about the redirection thingy | 16:04 |
| paul__ | well | 16:04 |
| paul__ | there's 300 things in the file | 16:04 |
| paul__ | but some are like yea | 16:05 |
| paul__ | dupes/nonissues | 16:05 |
| dhx_m | email maybe? | 16:05 |
| dhx_m | ah ok | 16:05 |
| dhx_m | well either way, cya later :) | 16:05 |
| nuclear_eclipse | dhx_m: | 16:11 |
| nuclear_eclipse | the spot you mention is because plugins are specifically disabled when updating their priorities, etc, but i cant remember exactly why i made that change... | 16:12 |
| nuclear_eclipse | but considering that the only people who can set project names are admins, i dont think we should be modifying where we use string_display because of that..... | 16:14 |
| nuclear_eclipse | xss prevention really only needs to worry about what untrusted users can do.. | 16:15 |
| nuclear_eclipse | if you cant trust your admin, theres nothing you can do to protect the app or its users | 16:16 |
Generated by irclog2html.py
