Tuesday, 2010-08-03

« Monday, 2010-08-02 Index Wednesday, 2010-08-04 »
../irclogs/#mantishelp.2010-08-03.log
--- scribe started ---00:00
davidincWho is responsible for preparing and arranging the docbook for mantisbt????06:39
davidinchi06:39
davidincnuclear_eclipse: Hi07:28
thefakehi there, i've a question about the roadmap, specially versions: Hot to remove the release date "Scheduled For Release" like the Mantis Project did at it's own installation, do i really have to edit the source by my own?07:49
thefakefound it in an old ticket :) $g_show_roadmap_dates = OFF;07:56
thefakethx for07:56
thefakeaudience ;)07:56
samtukehi, as I recall there used to be a feature allowing documents to be added to a mantis install, allowing users to view them. I can't see this link or configuration option in 1.2.1, has it been depreciated, or how do I use it? I'm referring to the old 'project documentation'10:08
samtukehas this been moved to a plugin?10:10
dhx_mit's still built in10:15
dhx_mbut it doesn't get used much by MantisBT users so it could be buggy/non-functional at the moment10:16
dhx_mit's a prime candidate for being cut out into a separate plugin10:16
dhx_msee config_defaults_inc.php for settings that control this feature on/off, etc10:16
samtukehmm, why was it removed, seems like a simple and useful feature?10:16
samtukethanks, ive found it there10:18
dhx_mit's not removed10:18
samtukeill re-enable it and see what happens10:18
dhx_myep10:18
samtukeOK, I mean, why was it disabled and not maintained10:18
dhx_mit's disabled by default like a lot of MantisBT features10:18
dhx_mand it's "not maintained" in the sense that few people (especially developers) seem to use the feature10:19
samtukeOK, thanks for the info :)10:24
nuclear_eclipsedavidinc: hi11:34
davidincnuclear_eclipse: hi11:34
nuclear_eclipseI wrote almost everything in the developer guide, but the admin guide is more or less a conversion of the old 1.0.x and 1.1.x manuals, and nobody is officially in charge of maintaining them... =\11:35
davidincok11:40
dhx_mI heard there is an opening for "Official MantisBT Documentation Maintainer" with davidinc's name written all over it :p11:44
nuclear_eclipselol11:44
* nuclear_eclipse shakes davidinc's hand11:44
dhx_m... by force? :p11:45
davidincno pro11:45
davidinccool11:45
nuclear_eclipsedammit man, think of the *children*!11:45
nuclear_eclipsejust imagine all those classrooms full of innocent kids, crying because our manual is out of date... *you* can change that...11:46
davidinc*YOU* mean dhx_m11:47
dhx_mlol11:48
davidinclol11:48
nuclear_eclipseit was an all-inclusive "you"; I don't care who it is as long as it isn't me.. ;)11:48
LFH_SPAHello12:07
LFH_SPAI am new in the mantis world12:07
LFH_SPAand I am facing some problems when i try to install it with SQL server12:08
LFH_SPAI am getting the folliwing error: Database query failed. Error received from database was #206: Conflicto de tipos de operandos: int es incompatible con text for the query: INSERT INTO mantis_config_table12:08
LFH_SPAI had applied the patchs especified in http://www.mantisbt.org/bugs/view.php?id=1074212:09
LFH_SPAbut they didn´t help12:09
LFH_SPAthe ecosystem is: Win XP, PHP 5.2, SQL Server 2005, Mantis 1.2.212:11
paulrdhx_m: yours :P12:11
dhx_mpaulr: yours :P get the Moodle DB layer working already :p12:12
dhx_mLFH_SPA: we have known issues with database upgrades when using MS SQL (perhaps other database types too) due to inconsistencies between database server SQL implementations12:14
paulrdhx_m: ahh I was gonna ask you about that12:14
dhx_mLFH_SPA: I suggest upgrading to 1.2.0, then 1.2.1 then 1.2.2 (don't skip versions)?12:14
paulrdhx_m: if we write our own layer based on the moodle code, it wouldn't be GPL right?12:14
dhx_mLFH_SPA: AFAIK I broke things in 1.2.1 by dropping some of our custom ADOdb hacks (hence why paulr palmed off this issue to me!)... I am ideally trying to get those patches accepted upstream where they belong12:15
dhx_mpaulr: I suspect not... depending on just how much it is based12:16
paulrdo we need to support db2?12:17
dhx_mdo any developers use it? if not, then no... as no one will have any interest in maintaining that support12:18
dhx_mif a DB2 user wants to help maintain DB2 support then they can always add that support later12:18
dhx_mIMO anyway ;)12:18
LFH_SPAI am not upgradding12:19
LFH_SPAit´s a brand new installation12:19
dhx_mbrand new database? :o12:20
LFH_SPADHX_M: What should I do? Install teh 1.2.0 version?12:20
dhx_mprobably, yes12:20
dhx_mthen upgrade 1.2.0 to 1.2.212:20
dhx_mat least until we fix things up12:20
LFH_SPAok12:20
LFH_SPAthanks for your help12:20
LFH_SPAI will do it and let you know12:21
dhx_mno problem, let me know how you go12:21
LFH_SPAby the way12:22
LFH_SPAwhere is the 1.2.0 version available12:22
dhx_msourceforge should have it12:23
LFH_SPAI took a look and the 1.2.2 is the only stable one available12:23
LFH_SPAok12:23
LFH_SPAok12:24
LFH_SPAthanks12:24
LFH_SPAbye12:24
dhx_msounds like you have to go urgently? cya12:25
nkjhi everyone13:22
nkji just setup v1.2.2 on my server13:22
nkjhowever, i'm having trouble getting any new accounts created.13:22
nkjeverytime i get the new account link (to set the password for the first time) after filling out the form I get the error #280013:23
nkj"Invalid form security token. Did you submit the form twice by accident?"13:23
nkjwhich I didn't13:23
nkjsame thing happens when I try to submit the 'lost password' form, i enter my username and email address, and click submit - and get the error #280013:24
nkjseems to be happening with any form submission  at all13:25
nkji don't see any errors in the apache log files13:26
nkjdoes anyone have any ideas as to what this might be?13:26
nkjsearching on google has come up with no relevant, up to date, info on the problem13:27
nkjapparently people have had similar issues, but nothing related to simply trying to activate an account in the first place.13:27
nkjand most issues i found on google were reported & fixed/resolved on the 1.1.x branch up to 2 years ago.13:28
nkjwhich makes me think this has got to be a configuration issue, just not sure where to start looking.13:28
nkjas I'm not sure how mantisBT decides that error #2800 is what it should display13:29
nkji could reverse engineer it, but my time is very limited and so I thought I'd ask for help/advice/tips/clues here first.13:30
nuclear_eclipsenkj: is there a proxy server between your machine and the mantis server?13:33
nkjnuclear_eclipse: the server is on the rackspace cloud, but i dont think there is any proxying going on13:34
nuclear_eclipsenkj: ah, it sounds like the server's aren't correctly sharing your session data13:35
nkjnuclear_eclipse: i had the default ubuntu package installed first (1.1.8 i believe) but removed it and installed 1.2.2 from tarball.13:35
nkjthe ubuntu package seemed to work fine.13:36
nkjnuclear_eclipse: so far, it's just running on one server13:36
nuclear_eclipseoh13:36
nkjthe dev server is solo13:36
nuclear_eclipsewell, you can disable form security protection, but do note that it opens a potential attack vector against administrators: http://en.wikipedia.org/wiki/Cross-site_request_forgery13:37
nuclear_eclipseubuntu may have disabled it by default, or maybe they are using a patched version of 1.1.x of some sort13:37
nkjnuclear_eclipse: that exploit is only possible from an already trusted user, correct?13:39
nuclear_eclipseno13:39
nkjfrom someone with no account at all?13:39
nkjah13:39
nkji think i get it13:40
nkjhmm, well - i will have the site protected behind http auth as well13:40
nkjso i think it should be ok13:40
nuclear_eclipsea malicious person could post an <img> tag on a site that points to some form on your site, and anyone already logged into your site that views that <img> tag could unknowingly submit forms, like creating a new user, etc13:40
nkjright - hijacking the session cookie13:40
nuclear_eclipsenkj: the attack has to be specifically targetted against your site, so private sites at least are obscure enough to have a low chance of attack, but it's still possible13:41
nkjnuclear_eclipse: how do I disable the security protection>13:41
nkjis it g_session_validation?13:42
nuclear_eclipsethe main cause for problems with that protection is proxy servers (or even reverse proxy servers) that incorrectly cache pages and serve old versions with stale or invalid CSRF tokens13:42
nuclear_eclipseno13:42
nuclear_eclipse$g_form_security_validation = ON;13:42
nkjok13:43
nkjnuclear_eclipse: thanks, i'll give it a shot now13:44
nuclear_eclipseI'd imagine that rackspace cloud probably has a reverse proxy in front of their servers that's either ignoring the caching headers we send or something of the sort13:44
nkjthats very possible, this is my first time using them so i don't know how their systems are setup13:49
nkjnuclear_eclipse: that solved the problem, thanks - however now I've got a problem actually setting the new users password14:25
nkjwhen I enter the desired password, click submit, i don't get the error, it then redirects to the main login page... when I test the username/password i get the incorrect login error message14:26
nkj"Your account may be disabled or blocked or the username/password you entered is incorrect."14:26
nkjchecking in the DB, it looks like the password field for the user was not updated.14:26
nuclear_eclipsehate to say it, but it sounds like whatever underlying issue that caused the form security errors might be causing the same problem with the actual form submissions... =\14:27
nkjhmmm14:28
nuclear_eclipsenkj: is php properly configured to store session data?14:28
nkjnuclear_eclipse: which setting in the php ini is required?14:30
nuclear_eclipsenkj: the entire [session] block (session.*) should looked over and configured to match your setup14:32
nuclear_eclipsespecifically, session.save_path needs to point somewhere that the webserver account has write access to14:32
nuclear_eclipseand session.use_cookies must be enabled14:32
nuclear_eclipsedepending on the situation, you may also need to update mantis' configuration options for cookies too14:33
nkjok i'll give it a look over14:37
istvanbHi there15:55
istvanbThe question I have: is there any company deals with Mantis support officially?15:56
nuclear_eclipseistvanb: not that I know of15:57
istvanbhmm15:58
istvanbour IT has this concern that what if we have issues, how can we fix without support15:58
nuclear_eclipseistvanb: you can always request help from a mailing list, or you can find the problem and fix it yourself since it's open source...15:59
istvanboh yeah, I completely agree with you. In the other hand I understand the concerns of the IT as well, since if we have a major problem it would be nice to have a phone number where we can ask for help (and pay for them as well:)16:00
nuclear_eclipseistvanb: this is the best I can offer: http://www.mantisbt.org/consulting.php16:02
istvanbI have dropped a mail there 2 weeks ago when I went for vacation, but recieved no response :(16:02
nuclear_eclipseistvanb: I'm not sure where that mail goes to, so I unfortunately can't help you there16:03
istvanb:)16:04
istvanbits ok16:04
istvanbI am not really concerned about this, however for sure it would be great to have something like that!16:05
nuclear_eclipseyeah, I agree16:05
paulristvanb: you can pay me for support16:16
paulrif anything breaks16:17
paulri'll hit nuclear_eclipse on irc until he fixes it16:17
nuclear_eclipsepaulr: good luck, I already have a busy enough life... :P16:17
istvanbhaha :)16:19
istvanbfunny mate :)16:19
istvanbmy plan is to introduce Mantis, screw it then quit and make a support company :)16:19
istvanbnow I gotta go, but ttys guys16:20
mantisbt_46530hi17:08
Shakradhx_z: are you around today?19:36
ShakraI may have found another bug in bug_update.php.19:37
paulrhe's sleeping20:02
paulr:)20:02
Shakraok no problem :) do you know when he's normally up and about?20:15
nuclear_eclipseShakra: he lives in Australia :P20:53
paulrhe said he wont be in tomorrow21:18
paulrso probably in 30 hours from now21:19
killefizgiallu: is there a reason (except lack of time) why you haven't updated mantis in fedora to 1.2.x yet?22:26
nuclear_eclipsetsk tsk giallu, falling behind!22:28
giallukillefiz, well. IIRC 1.2.0 was not that good and 1.2.1 had his share of issues as well (but yes, I also lacked time) ;)22:33
giallunow we have CVE-2010-280222:34
nuclear_eclipsegiallu: it's called bleeding edge for a reason ;022:34
giallunuclear_eclipse, well, no, 1.2.0 was supposed to be stable22:34
giallumaster is bleeding edge...22:34
nuclear_eclipsetis a joke buddy22:35
gialluoh sorry ;)22:35
nuclear_eclipseif we had kept 1.2.0 in the wings any longer it would have been born with grey hair and a wheelchair22:35
gialluanyway john, I don't also like to push 1.2 on older Fedora releases because of the manual steps involved22:36
nuclear_eclipseoh, I understand22:36
giallubut, I'd probably bite the bullet if we haven't a fix for the CVE22:36
nuclear_eclipsepackaging is difficult with all the restrictions distros put in place...22:36
nuclear_eclipsegiallu: btw, how the hell do CVE's get created/reported?22:36
giallunot sure, I just get notified by Red Hat/Fedora security team22:37
giallunuclear_eclipse, do you have a point for the commit fixing the issue?22:37
giallupointer even22:37
nuclear_eclipsehmm, sec22:38
nuclear_eclipsegiallu: it's related to bug 1195222:38
foobotBug 11952 - dhx - fixed - closed22:38
foobotArbitrary inline attachment rendering could lead to cross-domain scripting or other browser attacks - http://www.mantisbt.org/bugs/view.php?id=1195222:38
nuclear_eclipsegiallu: http://git.mantisbt.org/?p=mantisbt.git;a=commitdiff;h=618f45ac57a45854fa96bcfd79f9f44dcdfcfab322:39
gialluanyway: http://seclists.org/oss-sec/2010/q3/13622:39
giallulet's see, isn't fileinfo based detection only in 1.2.x?22:40
nuclear_eclipseI dunno, ask dhx :P22:41
gialluasking google instead...22:41
nuclear_eclipsehe said he apparently got a request from Red Hat to backport the issue to 1.1.x, so my guess is that it affects that too22:42
gialluuhm, I'm pretty sure FileInfo based detection was added later22:44
gialluand google agrees with me. now I'd need an 1.2.1 instance to test22:45
nuclear_eclipsegiallu: you can use my tracker at http://leetcode.net/mantis if you'd like...22:46
nuclear_eclipseI haven't gotten around to pulling the latest from git22:46
killefizgiallu: ok - let me know if you need any help with the update22:47
killefizI guess at least rawhide and probably f14 should be moved to 1.2.222:48
giallukillefiz, ok, I also prepared a semi decent spec with unbundled libs, but the transition to git is slowing me down a bit (need to learn the new workflow)22:48
killefizi haven't pushed any update with git yet either but it looks like being able to merge between releases is going to be a huge timesaver in the future22:50
nuclear_eclipsegiallu: that actually looks really nifty22:51
nuclear_eclipsegitolite is also pretty nifty22:51
nuclear_eclipsetempted to try and set that up on our git server at work22:51
gialluhttp://git.mantisbt.org/?p=mantisbt.git;a=commit;h=d85822de161fcede76fa54ce1f8081135387e8a522:54
giallukillefiz, well. I was always trying to keep branches in sync by copying the spec file. not sure if it will be faster22:56
gialluanyway22:56
paulrnuclear_eclipse: gitolite ?23:05
giallunuclear_eclipse, you don't enable showing of uploaded images right?23:13
paulrgiallu23:20
paulr<nuclear_eclipse> he said he apparently got a request from Red Hat to backport the issue to 1.1.x, so my guess is that it affects that too23:20
paulrdo we still support 1.1?23:20
gialluirrelevant23:20
gialluat least in this context23:20
paulrmm, ok23:20
giallubut I did not hear anything on the topic from other mantis devs23:21
giallutraditionally we stopped support of older stable releases23:21
giallualbeit with git it should be a bit easier to backport selected stuff23:21
paulrpretty sure dhx (as opposed to nuclear_eclipse) has said he'd like to move to a different version numbering scheme23:21
paulreven with git23:22
paulrhistorically there's been so much churn in source, you've got no chance :)23:22
gialluI'm not opposed to changes, just tell him to throw the proposal on the dev-list for those who can't be here all the time ;)23:23
nuclear_eclipsepaulr: gitolite is a repo/acl management system for git that supposedly allows you to have fine grained ACL setups similar to what you get with SVN23:23
nuclear_eclipseFedora has adopted it for their package development workflow23:24
gialluanyone with a IE handy?23:24
paulrgiallu: I think in principle, it was along lines of just use year.month for release or whatever23:24
* paulr has IE23:24
paulrnuclear_eclipse: ahh23:24
giallupaulr, can you click on the attachment here: http://leetcode.net/mantis/view.php?id=17023:25
nuclear_eclipsepaulr: I've told debian/ubuntu people that we'd at least support major security issues in 1.1.x23:25
nuclear_eclipseI also told them we might not make a full release of it, but we'd at least accept patches into our repo23:25
giallupaulr, what happens with IE there?23:26
paulrit offers me a file download of a 48byte file23:26
* paulr loads fiddler23:27
paulri'll just give you the headers23:27
nuclear_eclipsegiallu: if you need me to modify config somehow, let me know23:27
paulrX-Content-Type-Options: nosniff23:28
paulrContent-Disposition: filename="html_in_disguise.gif"23:28
nuclear_eclipseI think it's pretty much default configs for the most part23:28
paulrthat's got the x-content header in23:28
gialluuhm23:28
giallunuclear_eclipse, did you upgrade the tracker to 1.2.2?23:28
gialluI'm not sure what I should be looking at right now...23:29
nuclear_eclipseohh..23:30
nuclear_eclipseI forgot just how long that patch has been around...23:30
nuclear_eclipselemme checkout 1.2.1 for the site real quick23:30
paulrhttp://bugs.mantisforge.org/file_download.php?file_id=1&type=bug23:30
nuclear_eclipseok, it's at 1.2.1 now23:31
paulrContent-Type: image/gif23:31
paulrContent-Disposition: filename="html_in_disguise.gif"23:31
paulrIE just displays the text for me23:31
paulrno javascript alert23:31
paulrmaybe you need <html> etc at top of file23:32
nuclear_eclipsepaulr: it's only when you view the img inline in the page23:32
nuclear_eclipsegoing through file_download.php can't trigger it23:32
paulrhttp://bugs.mantisforge.org/view.php?id=123:33
paulrisn't that what that does?23:33
paulrimg alt="" style="border: 0; max-height:250px;" src="file_download.php?file_id=1&amp;type=bug" /><23:34
paulralthough that might be older then dhx's initial changes23:34
nuclear_eclipsetry again on my tracker, I checked out release-1.2.1 on it23:35
paulrurl23:36
nuclear_eclipsehttp://leetcode.net/mantis/view.php?id=17023:36
paulrnot getting a popup23:36
paulrahh23:36
paulrdo when i go to download the file23:36
paulrso i'd be inclined to think23:36
paulrthat dhx broke it23:37
paulrthen fixed23:37
paulrso it might be ok prior to 1.2.123:37
paulror prior to 1.2.023:37
paulrcan you checkout 1.2.0 onto it?23:37
giallunuclear_eclipse, paulr thanks for checking23:37
nuclear_eclipsedoes it only happen to IE?23:37
nuclear_eclipseor will Chrome repro it too?23:37
giallunuclear_eclipse, yeah FF looks ok23:37
gialludunno, I've chrome only on windows23:38
gialluwill check tomorrow23:38
giallunow I need some sleep...23:38
giallubye23:38
nuclear_eclipsebecause if I can reproduce it, I can use git-bisect to figure out exactly where it "broke"23:38
nuclear_eclipsecya giallu23:38
giallunuclear_eclipse, have a look at the commit I linked before23:38
paulrnuclear_eclipse: I can probably tell you that ;p23:39
nuclear_eclipsegiallu: that was a merge commit?23:39
gialluseptember 8, 200923:39
gialluyeah merge a finfo branch23:39
nuclear_eclipseoh, that's when that feature first went in?23:39
gialluguess so23:40
giallutry a checkout of the previous commit23:40
nuclear_eclipseit's checked out on my tracker now23:41
paulrthink I need sleep too23:41
nuclear_eclipseI just got the JS popup on that, but didn't with 1.2.1 checked out23:42
nuclear_eclipsegiallu: ping me tomorrow and I'll help you work this all out23:42
« Monday, 2010-08-02 Index Wednesday, 2010-08-04 »

Generated by irclog2html.py