| *** Quits: micahg (~micah@ubuntu/member/micahg) (Quit: Leaving.) | 00:23 | |
| *** Joins: micahg (~micah@ubuntu/member/micahg) | 00:25 | |
| *** Joins: kirillka (~Miranda@global01.vester.ru) | 00:36 | |
| *** Quits: siebrand (~beis@sm.xs4all.nl) () | 01:39 | |
| *** Joins: moto-moi (~hylke@cara.xs4all.nl) | 01:45 | |
| *** Joins: davidinc (~d5374b30@gateway/web/freenode/x-ilzcjsugljtkbvnh) | 01:52 | |
| *** Joins: davidinc_ (~d5374b30@gateway/web/freenode/x-pdkzbjyjlegfueaz) | 02:07 | |
| *** Quits: davidinc (~d5374b30@gateway/web/freenode/x-ilzcjsugljtkbvnh) (Ping timeout: 248 seconds) | 02:09 | |
| *** Quits: moto-moi (~hylke@cara.xs4all.nl) (Quit: Ex-Chat) | 02:28 | |
| *** Joins: giallu (~giallu@fedora/giallu) | 02:29 | |
| *** Quits: fanno (~Morten@90.184.93.233) (Read error: Connection reset by peer) | 02:33 | |
| *** Quits: chris38 (~chris38@bayle.eu) (Ping timeout: 245 seconds) | 02:39 | |
| *** Joins: Cupez (~Cupez@unaffiliated/cupertino) | 02:40 | |
| *** Joins: chris38 (~chris38@bayle.eu) | 02:41 | |
| *** Quits: micahg (~micah@ubuntu/member/micahg) (Ping timeout: 276 seconds) | 03:50 | |
| *** Quits: davidinc_ (~d5374b30@gateway/web/freenode/x-pdkzbjyjlegfueaz) (Quit: Page closed) | 04:10 | |
| *** Quits: kirillka (~Miranda@global01.vester.ru) (Quit: kirillka) | 04:31 | |
| *** Joins: rolfkleef (~rolf@urtica.xs4all.nl) | 04:55 | |
| *** Joins: moto-moi (~hylke@cara.xs4all.nl) | 05:06 | |
| *** Quits: rolfkleef (~rolf@urtica.xs4all.nl) (Ping timeout: 246 seconds) | 06:42 | |
| *** Joins: rolfkleef (~rolf@82-171-189-12.ip.telfort.nl) | 08:05 | |
| *** Joins: texens (~cb6ef6e6@gateway/web/freenode/x-zkdpsnynrcytamsw) | 08:25 | |
| texens | hi everyone ! | 08:26 |
|---|---|---|
| nuclear_eclipse | howdy | 08:27 |
| texens | I've come across a conceptual problem while working on a open source PHP web application... | 08:29 |
| *** Quits: texens (~cb6ef6e6@gateway/web/freenode/x-zkdpsnynrcytamsw) (Ping timeout: 248 seconds) | 08:33 | |
| *** Joins: texens (~cb6ef6e6@gateway/web/freenode/x-qopofgppuvufbpqs) | 08:44 | |
| texens | sorry, got disconnected | 08:44 |
| dhx_m | please continue :) | 09:01 |
| nuclear_eclipse | texens: I assume you are the one who mailed mantisbt-help regarding attachments? | 09:02 |
| texens | yes :) | 09:03 |
| texens | I thought I should mail it rather than expalin at length on the IRC | 09:03 |
| nuclear_eclipse | the short reply is that we do absolutely nothing | 09:03 |
| texens | oops.. | 09:03 |
| nuclear_eclipse | by default, we store files in the database, but can optionally store them on the filesystem as well | 09:04 |
| texens | despite the fact that it allows one to upload even zip and .php, .js files | 09:04 |
| texens | hmm.. | 09:04 |
| nuclear_eclipse | in the case of putting them in the database, the only option would be to run a scan against the in-memory file before database insertion | 09:04 |
| nuclear_eclipse | if storing on the filesystem, you could technically use a separate process to continually watch for new files in the attachments directory, and immediately scan them as they are added | 09:05 |
| nuclear_eclipse | however, I'm honestly not sure of the security/malware implications or effectiveness of either approach | 09:06 |
| texens | does Mantis have any hooks to call this *separate process* every time a new file is uploaded? | 09:06 |
| nuclear_eclipse | not currently | 09:07 |
| nuclear_eclipse | there have been requests to add plugin hooks around the attachment process, but I haven't yet found a reasonable way to support anything other than very specific usecases with those events, so I haven't implemented anything yet | 09:08 |
| texens | hmm.. I guess it would be a good idea to implement it. what do you say? | 09:08 |
| nuclear_eclipse | texens: we're always happy to accept and review code submissions :) | 09:11 |
| texens | sure, I'd love to volunteer on this one | 09:12 |
| nuclear_eclipse | texens: are you familiar with using Git? | 09:12 |
| texens | I'm well versed with svn, and it shouldn't be hard to learn git. | 09:13 |
| nuclear_eclipse | ok | 09:13 |
| nuclear_eclipse | if you want, you can set up a public repo on git.mantisforge.org that you can push to for sharing your code with other developers | 09:14 |
| nuclear_eclipse | if you need some documentation on using git, there's a small list of references in the online documentation at http://docs.mantisbt.org/master/en/developers/dev.appendix.html#DEV.APPENDIX.GIT | 09:14 |
| texens | thanks :) | 09:16 |
| nuclear_eclipse | regarding Mantis, you'll probably want to get familiar with how the event and plugin systems work; there's some documentation at http://docs.mantisbt.org/master/en/developers/ but the code is the best reference, found in mantisbt/core/event_api.php and mantisbt/core/plugin_api.php | 09:17 |
| texens | does mantis currently save the uploaded files in some sort of vault? | 09:19 |
| texens | vault = directory with strict permissions? | 09:19 |
| nuclear_eclipse | that's configurable; by default they all get stored into a single table in the database, otherwise it's up to the Mantis admin to set up a directory and tell Mantis where to put everything | 09:19 |
| nuclear_eclipse | naturally site admins should be creating a place for attachments outside of the webroot for security reasons, but Mantis won't complain about whatever their choice is | 09:20 |
| dhx_m | texens: I'm of the view that anti-virus is pointless (ie. a blacklisting approach) | 09:21 |
| nuclear_eclipse | dhx_m: let's not get into that debate ;) | 09:21 |
| texens | nuclear_eclipse: it might not be possible for someone with shared hosting, to keep it outside of the webroot | 09:22 |
| dhx_m | nuclear_eclipse: heh ok :) | 09:22 |
| nuclear_eclipse | correct, at which point they should be configuring some sort of .htaccess rules to prevent the files from being accessible through the webserver | 09:22 |
| texens | dhx_m: I guess, I'd like to listen to your justification :) | 09:22 |
| texens | why anit-virus is pointless? | 09:23 |
| * texens is taking a look at file mantis' upload documentation | 09:23 | |
| texens | *mantis' file upload documentation | 09:24 |
| dhx_m | texens: it takes an attacker just a few minutes to adjust their malware/payload to evade anti-virus signatures | 09:25 |
| dhx_m | texens: which makes AV fairly much useless... what makes it BAD is the false positives it introduces, the chance that a vulnerability exists in the AV scanning engine itself and the performance hit you take | 09:26 |
| dhx_m | texens: proper separation of user permissions ("sandboxing") defeats most malware | 09:26 |
| dhx_m | texens: what I'm getting at is the benefits of AV are minimal yet it is expensive for you to use it (cost, performance, administration overheads) | 09:27 |
| dhx_m | texens: your efforts are better spent securing the system in other more productive ways :) | 09:27 |
| texens | dhx_m: but anti-virus would in most cases, help secure the system from the known viurses | 09:28 |
| texens | sure thing, the evil user can tweak the virus to beat the AV | 09:28 |
| texens | but keeping the system totally exposed without any protection would be dangerous | 09:29 |
| texens | I use linux and have zero experience with virus, so I might have misconceptions :) | 09:29 |
| texens | dhm_x, please correct me if I'm wrong | 09:29 |
| dhx_m | you can also keep your system patched and configured with a least-privilege principle to beat the "known" viruses | 09:33 |
| texens | What about this sandboxing technique? I'm not sure, but I'm guessing it refers to stripping the upload directory of write/execute permissions | 09:35 |
| dhx_m | in terms of your email, I'm replying to it now | 09:38 |
| texens | thanks dhx_m :) | 09:40 |
| *** Quits: rolfkleef (~rolf@82-171-189-12.ip.telfort.nl) (Ping timeout: 248 seconds) | 09:43 | |
| *** Quits: giallu (~giallu@fedora/giallu) (Ping timeout: 264 seconds) | 09:44 | |
| *** Joins: daryn (~INTERACT\@rrcs-76-79-4-2.west.biz.rr.com) | 09:50 | |
| *** Joins: rolfkleef (~rolf@82.201.4.144) | 09:55 | |
| texens | dhx_m: could you please give me an brief overview of the sandboxing technique (or maybe a link to some article?) | 10:02 |
| dhx_m | texens: http://en.wikipedia.org/wiki/Principle_of_least_privilege | 10:04 |
| texens | thanks dhx_m :) | 10:05 |
| dhx_m | texens: also a somewhat different method: http://en.wikipedia.org/wiki/Sandbox_%28computer_security%29 | 10:06 |
| *** Quits: daryn (~INTERACT\@rrcs-76-79-4-2.west.biz.rr.com) (Remote host closed the connection) | 10:06 | |
| *** Quits: wolog (~wolog@AOrleans-152-1-19-113.w90-21.abo.wanadoo.fr) (Ping timeout: 268 seconds) | 10:07 | |
| *** Joins: daryn (~INTERACT\@rrcs-76-79-4-2.west.biz.rr.com) | 10:07 | |
| *** Joins: Suicidal_1337 (~3e60ea11@gateway/web/freenode/x-jccjqadgwuncoojk) | 10:16 | |
| Suicidal_1337 | hey folks | 10:17 |
| Suicidal_1337 | i have a mantis question, someone here who can help me | 10:17 |
| dhx_m | possibly... depending on what the question is :) | 10:18 |
| Suicidal_1337 | i have a runing mantis 1.0 and like to go for 1.2. I want to migrate my old topics but i wasnt able to find a sql script to update my old 1.0 database. Is there a possibility to do that | 10:19 |
| *** Joins: giallu (~giallu@fedora/giallu) | 10:20 | |
| *** Joins: wolog (~wolog@AOrleans-152-1-96-219.w90-21.abo.wanadoo.fr) | 10:20 | |
| *** Quits: wolog (~wolog@AOrleans-152-1-96-219.w90-21.abo.wanadoo.fr) (Remote host closed the connection) | 10:23 | |
| Suicidal_1337 | no idea? | 10:26 |
| dhx_m | afaik you can just use the upgrade feature in the 1.2.x installer | 10:27 |
| dhx_m | of course, make backups of your database, files, attachments, etc before attempting anything | 10:27 |
| Suicidal_1337 | with backups it's boring | 10:38 |
| Suicidal_1337 | buuut i tried it | 10:38 |
| Suicidal_1337 | and the database seems to be upgraded without errors, but i'm not able to see the issues in Mantis | 10:39 |
| *** Joins: micahg (~micah@ubuntu/member/micahg) | 10:39 | |
| Suicidal_1337 | wait | 10:40 |
| *** Joins: mantisbt_45800 (~c27e7a16@gateway/web/freenode/x-dpwbnrqptfifecio) | 10:40 | |
| Suicidal_1337 | it works, but i have a problem with the ldap auth... i'm try to fix it... | 10:40 |
| *** Quits: mantisbt_45800 (~c27e7a16@gateway/web/freenode/x-dpwbnrqptfifecio) (Client Quit) | 10:41 | |
| dhx_m | a lot has changed from 1.0 to 1.2 so you'll need to redo your configuration file | 10:43 |
| Suicidal_1337 | i've done the config in 1.2 before the import, so the configuration should be fine. Now i have the Problem with ldap, that my users arn't admins cause in the old Database no ldap was used. Is there an admin user by default which i can use? | 10:45 |
| dhx_m | administrator/root | 10:46 |
| dhx_m | although if you're upgrading, that user may not exist | 10:46 |
| dhx_m | you may need to adjust your database manually to give admin privileges to one of the LDAP user accounts | 10:46 |
| Suicidal_1337 | damn! i'm a hacker! | 10:47 |
| Suicidal_1337 | works | 10:47 |
| Suicidal_1337 | seems like he insert a new row for each ldap user with the reporter rights | 10:49 |
| Suicidal_1337 | nie | 10:49 |
| dhx_m | afaik you have to login each user | 10:49 |
| dhx_m | using LDAP | 10:49 |
| dhx_m | then upgrade their account from within MantisBT user administration | 10:50 |
| Suicidal_1337 | yes seems like that... many thanks for the help | 10:51 |
| dhx_m | np | 10:52 |
| *** Joins: fanno (~Morten@90.184.93.233) | 10:57 | |
| *** Quits: Suicidal_1337 (~3e60ea11@gateway/web/freenode/x-jccjqadgwuncoojk) (Quit: Page closed) | 11:18 | |
| *** Quits: Cupez (~Cupez@unaffiliated/cupertino) (Quit: I give up...) | 11:21 | |
| *** Joins: fanno1 (~Morten@90.184.93.233) | 11:27 | |
| *** Quits: fanno (~Morten@90.184.93.233) (Ping timeout: 245 seconds) | 11:27 | |
| *** Quits: rolfkleef (~rolf@82.201.4.144) (Ping timeout: 245 seconds) | 12:08 | |
| *** Quits: micahg (~micah@ubuntu/member/micahg) (Ping timeout: 276 seconds) | 12:19 | |
| *** Joins: WaltzingAlong (~WaltzingA@dslb-092-074-125-157.pools.arcor-ip.net) | 12:50 | |
| WaltzingAlong | what needs to be done for changes to $g_default_show_changed to take effect? clear out the template cache? how to do that? | 12:51 |
| *** Joins: cobexer (~cobexer@188-23-97-127.adsl.highway.telekom.at) | 13:24 | |
| *** cobexer is now known as \cobexer|away | 13:40 | |
| *** Joins: rolfkleef (~rolf@urtica.xs4all.nl) | 13:47 | |
| *** Quits: rolfkleef (~rolf@urtica.xs4all.nl) (Remote host closed the connection) | 13:47 | |
| *** Joins: micahg (~micah@ubuntu/member/micahg) | 13:52 | |
| *** Quits: texens (~cb6ef6e6@gateway/web/freenode/x-qopofgppuvufbpqs) (Quit: brb) | 13:58 | |
| *** Joins: siebrand (~beis@sm.xs4all.nl) | 14:01 | |
| *** Joins: AzaToth (~azatoth@wikipedia/AzaToth) | 14:13 | |
| paul__ | dhx_m: ping? | 14:53 |
| paul__ | nuclear_eclipse: er, wtf you trying to do???? | 14:54 |
| *** Joins: wolog (~wolog@ASt-Lambert-152-1-37-208.w82-124.abo.wanadoo.fr) | 15:29 | |
| *** Joins: cobexer (~cobexer@188-23-105-33.adsl.highway.telekom.at) | 15:30 | |
| *** Joins: rolfkleef (~rolf@urtica.xs4all.nl) | 15:31 | |
| *** Quits: \cobexer|away (~cobexer@188-23-97-127.adsl.highway.telekom.at) (Ping timeout: 276 seconds) | 15:34 | |
| *** Joins: texens (~cb6ef6e6@gateway/web/freenode/x-huknktealycztuhx) | 16:01 | |
| daryn | paul__ there? | 16:04 |
| *** Quits: WaltzingAlong (~WaltzingA@dslb-092-074-125-157.pools.arcor-ip.net) (Remote host closed the connection) | 16:05 | |
| paul__ | lo | 16:46 |
| daryn | how do you delete tags on mantisforge ? | 16:47 |
| paul__ | dunno | 16:52 |
| paul__ | heh | 16:52 |
| paul__ | within your repo? | 16:52 |
| paul__ | so basically how do you delete tags from within git? | 16:52 |
| daryn | well, i added them from the web interface somehow | 16:53 |
| daryn | stray keystrokes or something | 16:53 |
| daryn | so they are part of my repo? | 16:53 |
| nuclear_eclipse | paul__: daryn is talking about the gitweb tagging of repos that allows you to group similar repos by a tag name | 17:00 |
| nuclear_eclipse | btw paul__, would love it if you could drop the mibbit.git and savedtext.git repos from there ;) | 17:01 |
| daryn | nuclear_eclipse what do we need to do for the jquery changes you made? | 17:04 |
| daryn | for $() where it's not in ready | 17:04 |
| *** Quits: daryn (~INTERACT\@rrcs-76-79-4-2.west.biz.rr.com) (Quit: daryn) | 17:51 | |
| paul__ | nuclear_eclipse: gonna be working on mantis over next 10 days hopefully | 17:57 |
| *** Quits: moto-moi (~hylke@cara.xs4all.nl) (Quit: Ex-Chat) | 18:23 | |
| *** texens is now known as texens|away | 18:39 | |
| *** Quits: cobexer (~cobexer@188-23-105-33.adsl.highway.telekom.at) (Read error: Connection reset by peer) | 18:48 | |
| *** Quits: micahg (~micah@ubuntu/member/micahg) (Ping timeout: 248 seconds) | 19:05 | |
| *** Quits: fanno1 (~Morten@90.184.93.233) (Quit: Leaving.) | 19:17 | |
| *** Quits: scribe9343423 (~scribe934@mantisforge.org) (Remote host closed the connection) | 20:00 | |
| *** Joins: scribe9343423 (~scribe934@mantisforge.org) | 20:00 | |
| *** Quits: rolfkleef (~rolf@urtica.xs4all.nl) (Ping timeout: 246 seconds) | 20:08 | |
| *** Quits: AzaToth (~azatoth@wikipedia/AzaToth) (Remote host closed the connection) | 21:34 | |
| *** Joins: pabelanger_ (~pabelange@CPE004010100002-CM00159a090f12.cpe.net.cable.rogers.com) | 21:51 | |
| pabelanger_ | Hi all. I was curious if there was an API to allow users to upload files (.txt) directly to an existing issue. as an attachment? | 21:52 |
| *** Quits: pabelanger_ (~pabelange@CPE004010100002-CM00159a090f12.cpe.net.cable.rogers.com) (Quit: Leaving) | 22:18 | |
| *** texens|away is now known as texens | 22:56 | |
Generated by irclog2html.py 2.9.2 by Marius Gedminas - find it at mg.pov.lt!