Monday, 2010-05-17

*** Joins: daryn_ (~daryn@h227.213.31.71.dynamic.ip.windstream.net)00:06
*** Quits: daryn__ (~daryn@h32.145.28.71.dynamic.ip.windstream.net) (Ping timeout: 265 seconds)00:09
*** Joins: kirillka (~Miranda@global01.vester.ru)00:48
*** Quits: siebrand (~beis@sm.xs4all.nl) ()01:30
*** Quits: wolog_ (~wolog@AOrleans-152-1-34-142.w90-21.abo.wanadoo.fr) (Remote host closed the connection)01:42
*** Joins: wolog_ (~wolog@195.6.104.193)02:25
*** Joins: Cupertino (~Cupez@unaffiliated/cupertino)02:29
*** Joins: giallu (~giallu@fedora/giallu)02:46
*** Joins: fanno (~b3g@193.3.95.240)03:45
*** Joins: Rixie (~Rixie@0x4dd7390e.adsl.cybercity.dk)03:56
*** Joins: cgra (~quassel@a91-154-65-126.elisa-laajakaista.fi)04:09
cgrahi, i have problem installing mantis. pretty much the only hint i get is "PHP Fatal error:  Call to undefined function event_clear_callbacks()"04:10
cgrai'm on centos 5.4 and i did check database connectivity a few times. the mysql schema appears, but nothing else. no tables at all04:12
cgrai've now tried the stable and it's most recent nightly build version04:13
cgrathe install.php result page seems to break at "Attempting to connect to database as user: GOOD"04:14
cgrathat's the last visible item04:15
cgraif anyone can give hints what to check next, i'd appreciate04:15
*** Joins: davidinc (~d5374b2e@gateway/web/freenode/x-rzwgrcqjxalxwkab)04:31
*** Joins: rombert (~c1e284da@gateway/web/freenode/x-zmqdavuyslnyphsl)04:37
*** Joins: cobexer (~cobexer@188-23-13-181.adsl.highway.telekom.at)04:43
*** Quits: rombert (~c1e284da@gateway/web/freenode/x-zmqdavuyslnyphsl) (Quit: Page closed)04:52
*** Joins: hever (~hever@ip-95-223-227-129.unitymediagroup.de)05:21
heverHello, what's the difference between release and stable as project status?05:21
*** Joins: Kornel^aardvark (~kornel@fw1.aardvarkmedia.co.uk)05:26
*** Joins: \cobexer (~cobexer@188-23-10-184.adsl.highway.telekom.at)06:40
*** Quits: cobexer (~cobexer@188-23-13-181.adsl.highway.telekom.at) (Ping timeout: 264 seconds)06:44
*** Quits: Ragnor (~Ragnor@178.1.42.132) (Disconnected by services)06:54
*** Joins: Ragnor (~Ragnor@178.1.42.132)06:55
*** Quits: tavasti (~tavasti@217.152.202.221) (*.net *.split)06:55
*** Joins: tavasti (~tavasti@217.152.202.221)06:59
*** \cobexer is now known as \cobexer|away07:08
*** Joins: mellen (~thansen@x1-6-00-22-02-00-0c-40.k253.webspeed.dk)07:12
Kornel^aardvarkI can't find documentation for supported column types in schema definitions. How can I define boolean column in plugin?08:34
nuclear_eclipsehi Kornel^aardvark 09:02
nuclear_eclipsehttp://phplens.com/lens/adodb/docs-datadict.htm09:02
Kornel^aardvarkthanks09:04
nuclear_eclipsewe generally stay away from most of the blob/varchar variants, and just use C(x) and XL, due to compatibility issues between the many supported database types09:05
nuclear_eclipseand we've moved away from datetime fields completely in 1.2 to use int fields instead, which allows us to better handle timezones etc09:06
nuclear_eclipseor rather, int fields allow timezone handling to be done exclusively by Mantis, as some dbms's try to do some funky timezone handling of their own when using datetime fields09:07
*** Joins: mantisbt_72657 (~7aa049ee@gateway/web/freenode/x-ekmyalgsckbcdeir)09:16
*** Quits: mantisbt_72657 (~7aa049ee@gateway/web/freenode/x-ekmyalgsckbcdeir) (Client Quit)09:17
cgrai'm still stuck at installing mantis on centos 5.4. error_api.php on line 135 can't find event_clear_callbacks() function. i can't get the reason of error because of crash. should event_api.php be imported somehow here?09:27
nuclear_eclipsecgra: that's a known problem, in cases where the mantis core hits an error before the event API has been loaded09:32
nuclear_eclipseworkaround atm is to edit core/error_api.php and comment out the call to event_clear_callbacks() so that you can see the real error message, and then once the underlying error is resolved, uncomment that line again09:33
nuclear_eclipsealternatively, wrap the call in `if (function_exists("event_clear_callbacks")) {`09:33
cgraok. just tried the uncommenting. now there's no error in apache error_log but the page still seems to cut prematurely, at the "Attempting to connect to database as user: GOOD"09:34
cgrabtw, install.php says PHP 5.1.6 is good, but the webpage states mantis 1.2.1 requires php 5.2 or newer. any problem there?09:37
nuclear_eclipsethe webpage is wrong09:38
nuclear_eclipse=\09:38
cgraok09:39
*** Quits: daryn_ (~daryn@h227.213.31.71.dynamic.ip.windstream.net) (Quit: Ex-Chat)09:43
*** Quits: fanno (~b3g@193.3.95.240) (Remote host closed the connection)09:46
*** Quits: kirillka (~Miranda@global01.vester.ru) (Quit: kirillka)10:04
*** Quits: cgra (~quassel@a91-154-65-126.elisa-laajakaista.fi) (Remote host closed the connection)10:12
*** Quits: giallu (~giallu@fedora/giallu) (Ping timeout: 265 seconds)10:19
*** Joins: micahg (~micah@ubuntu/member/micahg)10:21
*** Parts: Kornel^aardvark (~kornel@fw1.aardvarkmedia.co.uk)10:35
*** Joins: Kornel^aardvark (~kornel@fw1.aardvarkmedia.co.uk)10:36
*** Joins: fanno (~Morten@90.184.93.233)10:41
*** Joins: daryn (~daryn@rrcs-76-79-4-2.west.biz.rr.com)10:46
Kornel^aardvarkHow evil is plugin adding column to mantis standard tables?10:53
Kornel^aardvarkI've found that bugnote_get_field() doesn't see added column unless I execute bugnote_clear_cache() before10:53
dhx_mKornel^aardvark: hi10:54
dhx_mKornel^aardvark: plugins shouldn't modify the default Mantis tables because it may break upgrades in the future10:54
dhx_mKornel^aardvark: it's better to left join them with plugin tables10:54
* nuclear_eclipse agrees with dhx_m 10:58
*** Quits: Cupertino (~Cupez@unaffiliated/cupertino) (Quit: I give up...)10:59
dhx_mnuclear_eclipse: hi :)11:01
*** Quits: Rixie (~Rixie@0x4dd7390e.adsl.cybercity.dk) (Quit: Rixie)11:02
nuclear_eclipsehi dhx_m  :)11:04
*** Parts: Kornel^aardvark (~kornel@fw1.aardvarkmedia.co.uk)11:10
*** Joins: Kornel^aardvark (~kornel@fw1.aardvarkmedia.co.uk)11:11
CIA-21Mantisbt: hickseydr * r339e583ab780 /core/install_helper_functions_api.php: install_stored_filter_migrate should ignore missing filter fields11:15
*** Quits: xSmurf (~MrSmurf@53-73-252-216.dsl.colba.net) (Changing host)11:35
*** Joins: xSmurf (~MrSmurf@unaffiliated/mrsmurf)11:35
*** Quits: davidinc (~d5374b2e@gateway/web/freenode/x-rzwgrcqjxalxwkab) (Ping timeout: 252 seconds)11:39
dhx_moops11:45
CIA-21Mantisbt: hickseydr * r3110481c6492 /core/filter_api.php: Undefined index _source_query_id when printing filter list dropdown11:49
CIA-21Mantisbt: hickseydr * r269c843a95fb /core/filter_api.php: _source_query_id: follow up fix for last commit11:54
*** Quits: wolog_ (~wolog@195.6.104.193) (Remote host closed the connection)11:55
*** Quits: hever (~hever@ip-95-223-227-129.unitymediagroup.de) (Read error: Operation timed out)11:57
*** Quits: micahg (~micah@ubuntu/member/micahg) (Ping timeout: 246 seconds)12:00
* nuclear_eclipse congratulates dhx_m 12:00
dhx_mlol12:01
dhx_mI suspect you may have exposed an XSS vulnerability in 79255f6b12:02
dhx_mnot your fault because the problem already existed, but I'll blame you anyway :p12:02
dhx_mjust checking if it is an issue with 1.2.1 as well12:02
nuclear_eclipsehow would that be an XSS error?12:03
dhx_mprinting an unsanitised project name12:03
dhx_mas I just said, the problem already existed12:04
nuclear_eclipse? shouldn't the page be using string_line() or what not?12:04
nuclear_eclipsestring_display_line()*12:04
dhx_myep that is what I'm about to commit12:04
nuclear_eclipseyet another reason I supremely hate web applications...12:04
dhx_mPHPTAL would have prevented that :D12:05
Kornel^aardvark:>12:05
nuclear_eclipseso much bullshit boilerplate code just to make sure the user isn't being screwed while using the application...12:05
Kornel^aardvarknuclear_eclipse: non-web applications have similar problems with printf(foo)12:06
dhx_myep replace input/output sanitisation in web apps with buffer overflow bugs in non-web apps :)12:06
nuclear_eclipseyou can't surreptitiously hide a CSRF vulnerability in an image though, when you're talking about native desktop apps...12:07
Kornel^aardvarkyes. CSRF is a big failure of the platform.12:08
nuclear_eclipseand using a high level language like Java, Python, etc, with proper datatypes means you almost never have to deal buffer overflows as a developer, either12:08
dhx_mnuclear_eclipse: did you see the presentation I linked to regarding click jacking in the latest blog post?12:08
nuclear_eclipseno12:08
dhx_mnuclear_eclipse: it'll make you cry :)12:08
nuclear_eclipseI assumed it would, hence the reason I ignored it ;)12:09
nuclear_eclipsehonestly, if web apps weren't so insanely useful and easy to deploy, I'd have rather cut my face off than get a job dealing with all this bullshit... :P12:09
dhx_min summary, invisible iframes which are cropped over a button on a target page... another site can thus trick you into clicking on any part of a page and the click is redirected to the target page, clicking a button that would otherwise be protected via CSRF tokens12:10
nuclear_eclipsesounds about right12:10
Kornel^aardvarkI wonder if every web exploit could be tracked back to Netscape's extension... :)12:10
nuclear_eclipsenope, ActiveX is a pretty gaping hole exclusive to the realm of Microsoft12:11
dhx_mI can't wait for some free time (end of June) so I can get to work on PHPTALerizing MantisBT with primary objectives 1) remove all inline JavaScript so we can use CSP (Content Security Policy) to block inline JavaScript entirely (no more XSS attacks!), 2) remove all print_ pages and instead use different CSS files for web/print views12:12
Kornel^aardvarkActiveX became irrelevant, so it's not a problem. You can't get rid of iframes, document.write, form.submit(), etc.12:12
dhx_mI forgot the terms-and-conditions-apply asterisk (*) after "no more XSS attacks"12:13
nuclear_eclipsedhx_m: the question is just how long before browsers actually pay attention to CSP crap12:13
dhx_malso PHPTAL sanitises variables at output anyway :)12:13
nuclear_eclipseor rather, how long until nobody uses a browser that doesn't support CSP12:13
dhx_mnuclear_eclipse: maybe never... it isn't a standard yet12:14
dhx_mhowever PHPTAL's automatic sanitisation of any variables outputted in the templates should solve the problem I guess12:14
dhx_mCSP is meant to just be another safeguard layer... it's not meant to be used as a first line defence12:14
CIA-21Mantisbt: hickseydr master-1.2.x * rc4b1574631fc /core/filter_api.php: Fix #11933: XSS via project_id_filter_target (filter advanced view)12:20
*** Joins: moto-moi (~hylke@cara.xs4all.nl)12:20
CIA-21Mantisbt: hickseydr * r9d5880bc93ab /core/filter_api.php: Fix #11933: XSS via project_id_filter_target (filter advanced view)12:20
dhx_mfound some more, this time limited to administrators so I'm not calling it a security bug12:26
dhx_mbut it does limit their ability to use certain characters in a field12:26
dhx_m(when that limitation shouldn't be in place)12:27
dhx_mfinally... ADOdb 5.11! :)12:29
*** Joins: hever (~hever@ip-95-223-227-129.unitymediagroup.de)12:40
*** Joins: siebrand (~beis@sm.xs4all.nl)12:47
*** Quits: Kornel^aardvark (~kornel@fw1.aardvarkmedia.co.uk) (Quit: Kornel^aardvark)12:48
*** Joins: wolog_ (~wolog@AOrleans-152-1-34-142.w90-21.abo.wanadoo.fr)12:48
CIA-21Mantisbt: hickseydr * rb8b21142be9e / (144 files in 10 dirs): Update ADOdb to v5.11 (May 5, 2010)13:17
*** Quits: hever (~hever@ip-95-223-227-129.unitymediagroup.de) (Ping timeout: 248 seconds)13:22
*** Joins: giallu (~giallu@fedora/giallu)14:20
*** Joins: micahg (~micah@ubuntu/member/micahg)14:24
*** Joins: cobexer (~cobexer@188-23-14-35.adsl.highway.telekom.at)14:40
*** Quits: \cobexer|away (~cobexer@188-23-10-184.adsl.highway.telekom.at) (Read error: Operation timed out)14:41
*** Joins: hever (~hever@ip-95-223-227-129.unitymediagroup.de)14:47
*** Joins: AzaToth (~azatoth@wikipedia/AzaToth)14:53
*** Quits: hever (~hever@ip-95-223-227-129.unitymediagroup.de) (Ping timeout: 246 seconds)15:15
*** Joins: rombert (~robert@81.180.230.218)16:04
rombertHey all16:05
rombertany postgres savy users?16:05
nuclear_eclipsehi rombert 16:06
* nuclear_eclipse suggests chatting with dhx_m 16:06
rombertthanks16:07
CIA-21Mantisbt: robert * r87448db8ee68 /admin/install.php: Display all current SQL upgrade instructions on execution failure16:47
CIA-21Mantisbt: robert master-1.2.x * r3fa5664bfcaf /admin/install.php: Display all current SQL upgrade instructions on execution failure16:47
CIA-21Mantisbt: robert.munteanu * r18b995e24c1f /api/soap/mc_file_api.php: Fix attachment upload for SOAP API/PostgreSQL17:36
CIA-21Mantisbt: robert.munteanu master-1.2.x * r90c726d36f95 /api/soap/mc_file_api.php: Fix attachment upload for SOAP API/PostgreSQL17:36
*** Quits: daryn (~daryn@rrcs-76-79-4-2.west.biz.rr.com) (Quit: Ex-Chat)17:56
*** Quits: moto-moi (~hylke@cara.xs4all.nl) (Quit: Ex-Chat)17:59
*** Quits: cobexer (~cobexer@188-23-14-35.adsl.highway.telekom.at) (Read error: Connection reset by peer)18:02
*** Parts: rombert (~robert@81.180.230.218)18:15
*** Quits: giallu (~giallu@fedora/giallu) (Ping timeout: 264 seconds)18:37
*** Joins: hever (~hever@ip-95-223-227-129.unitymediagroup.de)18:37
*** Quits: hever (~hever@ip-95-223-227-129.unitymediagroup.de) (Remote host closed the connection)18:55
*** Quits: AzaToth (~azatoth@wikipedia/AzaToth) (Remote host closed the connection)19:24
*** Quits: scribe9343423 (~scribe934@static.96.23.63.178.clients.your-server.de) (Remote host closed the connection)19:59
*** Joins: scribe9343423 (~scribe934@static.96.23.63.178.clients.your-server.de)20:00
*** Quits: micahg (~micah@ubuntu/member/micahg) (Ping timeout: 276 seconds)20:47
CIA-21Mantisbt: jreese * rb4e8a6647d9e /core/error_api.php: Fix edge case with event_clear_callbacks21:29
CIA-21Mantisbt: jreese master-1.2.x * r7f1534f93b1d /core/error_api.php: Fix edge case with event_clear_callbacks21:29
*** Joins: daryn (~daryn@h102.211.31.71.dynamic.ip.windstream.net)22:02
*** Quits: fanno (~Morten@90.184.93.233) (Read error: Connection reset by peer)22:27
*** Quits: |Otter| (~haruka@p54ACCE74.dip.t-dialin.net) (Ping timeout: 246 seconds)22:32
*** Joins: daryn_ (~daryn@h66.156.16.98.dynamic.ip.windstream.net)22:33
*** Joins: micahg (~micah@ubuntu/member/micahg)22:36
*** Quits: daryn (~daryn@h102.211.31.71.dynamic.ip.windstream.net) (Ping timeout: 265 seconds)22:36
*** daryn_ is now known as daryn22:43
*** Joins: |Otter| (~haruka@p54ACFC20.dip.t-dialin.net)22:45

Generated by irclog2html.py 2.9.2 by Marius Gedminas - find it at mg.pov.lt!