*** Quits: dhx1 (~anonymous@c122-107-170-247.eburwd5.vic.optusnet.com.au) (Remote host closed the connection) | 00:12 | |
*** Joins: dhx1 (~anonymous@c122-107-170-247.eburwd5.vic.optusnet.com.au) | 00:51 | |
*** Quits: roentgen (~arthur@miranda/user/roentgen) (Ping timeout: 276 seconds) | 01:05 | |
*** Joins: kirillka (~Miranda@195.242.142.17) | 01:19 | |
*** Joins: roentgen (~arthur@miranda/user/roentgen) | 01:27 | |
*** Joins: davidinc (~davidinc@213.55.100.134) | 01:59 | |
*** Quits: roentgen (~arthur@miranda/user/roentgen) (Remote host closed the connection) | 02:00 | |
*** Quits: giallu (~giallu@fedora/giallu) (Ping timeout: 240 seconds) | 02:05 | |
*** Joins: giallu (~giallu@fedora/giallu) | 02:26 | |
*** Quits: giallu (~giallu@fedora/giallu) (Ping timeout: 240 seconds) | 02:31 | |
*** Joins: roentgen (~arthur@miranda/user/roentgen) | 03:17 | |
*** Quits: roentgen (~arthur@miranda/user/roentgen) (Remote host closed the connection) | 03:37 | |
*** Joins: roentgen (~arthur@miranda/user/roentgen) | 03:38 | |
*** Joins: rolfkleef (~rolf@urtica.xs4all.nl) | 03:49 | |
*** Quits: Rixie (~Rixie@0x4dd7390e.adsl.cybercity.dk) (Quit: Rixie) | 04:09 | |
dhx1 | hmm why is git.mantisforge.org asking for a password? :( | 04:36 |
---|---|---|
dhx1 | ssh://dhx@git.mantisforge.org/srv/git/source-integration/dhx.git (push) | 04:37 |
dhx1 | did something change? | 04:37 |
*** Quits: kirillka (~Miranda@195.242.142.17) (Quit: kirillka) | 04:41 | |
dhx1 | never mind, I probably lost my old key for that | 04:42 |
*** Quits: davidinc (~davidinc@213.55.100.134) (Ping timeout: 250 seconds) | 05:03 | |
*** Joins: davidinc (~davidinc@213.55.100.134) | 05:05 | |
*** Quits: BlackBishop (~d3xt3r@d3xt3r01.tk) (Quit: leaving) | 05:09 | |
*** Joins: giallu (~giallu@fedora/giallu) | 05:12 | |
dhx1 | someone please kill print_api!! :) | 05:39 |
CIA-21 | Mantisbt: damien.regad * r1aa117804219 / (3 files in 2 dirs): Fix #11351: Do not delete email or realname when editing user with LDAP | 05:50 |
*** Joins: pualr-__ (~root@178.63.23.88) | 06:00 | |
pualr-__ | djSupport: | 06:00 |
pualr-__ | bah | 06:00 |
pualr-__ | dhx1: | 06:00 |
pualr-__ | your last patch | 06:00 |
pualr-__ | is also incorrect :) | 06:00 |
dhx1 | how? | 06:00 |
pualr-__ | original functionality: | 06:01 |
dhx1 | if you're getting real names and emails from LDAP then you shouldn't really give the admin/user an option to change them | 06:01 |
dhx1 | I do agree it's only half the problem | 06:01 |
pualr-__ | if a user gets email from ldap, dont allow them to edit, only view | 06:01 |
dhx1 | as the submission pages still accept changes | 06:01 |
pualr-__ | however knock on of tht is when user changes accounts page, it wipes data | 06:02 |
dhx1 | that's what it is doing now | 06:02 |
pualr-__ | new functionality: | 06:02 |
pualr-__ | would appear to fix that by sending the ldap stuff off in a hidden field? | 06:02 |
pualr-__ | which means if someone edits the page params behind the scenes | 06:02 |
dhx1 | yeah... like I said, it's a crap fix :p | 06:02 |
pualr-__ | it will do the update | 06:03 |
dhx1 | yep | 06:03 |
pualr-__ | so that's worse :) | 06:03 |
pualr-__ | or well as bad ;p | 06:03 |
dhx1 | we need to fix it behind the scenes and then remove the hidden field | 06:03 |
dhx1 | well this is 50% of the patch as such | 06:03 |
pualr-__ | anyway | 06:03 |
pualr-__ | tomorrow is mantis day | 06:03 |
pualr-__ | :) | 06:03 |
dhx1 | and GRRRRR at not escaping variables like the user name before printing them to the output!!! | 06:03 |
pualr-__ | :) | 06:03 |
dhx1 | how long have I been hearing that? :p | 06:04 |
pualr-__ | username is limited to 10 chars | 06:04 |
pualr-__ | we discussed this last week ;p | 06:04 |
pualr-__ | also | 06:04 |
dhx1 | half of print_api may as well be a test for web application vulnerability scanners | 06:04 |
pualr-__ | at one point we only allowed certain characters for usernames | 06:04 |
dhx1 | yep dumb restriction ;) | 06:04 |
pualr-__ | i.e. the strip_scripting_chars thing | 06:04 |
pualr-__ | or whatever | 06:04 |
dhx1 | which is why I think I removed it heh | 06:04 |
pualr-__ | well | 06:04 |
pualr-__ | :) | 06:04 |
pualr-__ | so you've made security issues :P | 06:05 |
dhx1 | well I may have uncovered some security issues that already existed but weren't exploitable :p | 06:05 |
pualr-__ | anyway, I like my job as commit-guard :P | 06:08 |
dhx1 | thanks, it's actually quite good that someone is doing the job :) | 06:13 |
CIA-21 | Mantisbt: damien.regad master-1.2.x * r99e7eedc560c / (3 files in 2 dirs): Fix #11351: Do not delete email or realname when editing user with LDAP | 06:13 |
dhx1 | nooooo account_update.php is my worst nightmare | 06:14 |
dhx1 | I've seen worse... but still :) | 06:15 |
dhx1 | grep -Rn "echo \\$" * | 06:16 |
dhx1 | that's bad... | 06:16 |
dhx1 | and it's only part of the problem | 06:17 |
dhx1 | to ask for 40 CVE's or not... :P | 06:17 |
pualr-__ | > | 06:19 |
pualr-__ | echo \\$? | 06:19 |
pualr-__ | could be fine | 06:19 |
dhx1 | finding XSS issues (as I just fixed a bunch in the last commit) | 06:19 |
pualr-__ | anyway | 06:20 |
dhx1 | I'll demonstrate one in a moment :) | 06:20 |
pualr-__ | stop breaking stuff | 06:20 |
pualr-__ | that doesn't need fixing | 06:20 |
dhx1 | it's fun breaking a bug tracker of all software :P | 06:20 |
dhx1 | actually CSRF protection prevents the bug I'm fixing from being a security issue | 06:22 |
*** Quits: davidinc (~davidinc@213.55.100.134) (Ping timeout: 255 seconds) | 06:24 | |
CIA-21 | Mantisbt: hickseydr * rc89612583e9a /bug_report.php: Fix #12474: bug_report XSS issue when report_stay=1 | 06:28 |
CIA-21 | Mantisbt: hickseydr master-1.2.x * rda681451a186 /bug_report.php: Fix #12474: bug_report XSS issue when report_stay=1 | 06:29 |
*** Quits: rolfkleef (~rolf@urtica.xs4all.nl) (Ping timeout: 245 seconds) | 06:52 | |
*** Quits: pualr-__ (~root@178.63.23.88) (Quit: Lost terminal) | 07:02 | |
CIA-21 | Mantisbt: hickseydr master-1.2.x * r7672ca3d7f00 / (4 files): Fix #11351: Real name and email should not be updated via GPC (LDAP) | 07:05 |
djSupport | you rang? | 07:16 |
djSupport | is CIA-21a bot? | 07:16 |
djSupport | is CIA-21 a bot? | 07:17 |
dhx1 | yep it's a bot | 07:20 |
CIA-21 | Mantisbt: hickseydr * r71ad8c6fda3b / (4 files): Fix #11351: Real name and email should not be updated via GPC (LDAP) | 07:20 |
CIA-21 | Mantisbt: hickseydr master-1.2.x * r5f24068ee315 /manage_user_update.php: Issue #11351: Fix variable names for $t_email | 07:23 |
CIA-21 | Mantisbt: tgulacsi * r0ed247226938 /core/graphviz_api.php: fix graphiz_api indentation and syntax error | 07:48 |
*** Joins: rolfkleef (~rolf@82-204-82-162.fttx.bbeyond.nl) | 07:59 | |
*** Joins: biglesiasjr (~bill@ool-182cba80.dyn.optonline.net) | 08:03 | |
CIA-21 | Mantisbt: paul master-1.2.x * r76c9a79ef7d8 /core/custom_field_api.php: Following XSS changes, don't double encode | 08:06 |
CIA-21 | Mantisbt: sdelfranco * ree1371d41049 /core/html_api.php: Fix #12061: Status percentage bar should check for private bugs | 08:21 |
CIA-21 | Mantisbt: sdelfranco master-1.2.x * rc783a403d3f9 /core/html_api.php: Fix #12061: Status percentage bar should check for private bugs | 08:21 |
*** Joins: davidinc (~davidinc@213.55.100.134) | 08:31 | |
*** Joins: Al_Chapone (~chatzilla@ATuileries-151-1-43-37.w82-123.abo.wanadoo.fr) | 08:57 | |
*** Joins: LadySerena (~LadySeren@2001:470:1f0f:178:21e:c2ff:feaa:5140) | 09:06 | |
LadySerena | RAWR! | 09:06 |
LadySerena | okay, I've got a sponsored bug that's been fixed and needs to be paid, but I don't see any "Make payment" link, so how do I send the monies in? | 09:10 |
nuclear_eclipse | LadySerena: basically you'll need to get in touch with the developer in question and figure out how to handle it between the two of you | 09:14 |
LadySerena | ahs | 09:14 |
*** Quits: Al_Chapone (~chatzilla@ATuileries-151-1-43-37.w82-123.abo.wanadoo.fr) (Ping timeout: 265 seconds) | 09:16 | |
LadySerena | I sent the dev an email. =^_^= | 09:23 |
*** Joins: Al_Chapone (~chatzilla@ATuileries-151-1-11-42.w82-123.abo.wanadoo.fr) | 09:30 | |
*** Joins: daryn (~daryn@h158.249.190.173.static.ip.windstream.net) | 09:30 | |
*** Joins: siebrand (~beis@64.134.69.242) | 09:53 | |
*** Quits: siebrand (~beis@64.134.69.242) () | 10:24 | |
*** Quits: davidinc (~davidinc@213.55.100.134) (Ping timeout: 265 seconds) | 10:29 | |
*** Quits: Al_Chapone (~chatzilla@ATuileries-151-1-11-42.w82-123.abo.wanadoo.fr) (Ping timeout: 245 seconds) | 11:09 | |
*** Joins: Al_Chapone (~chatzilla@ATuileries-151-1-60-168.w83-202.abo.wanadoo.fr) | 11:23 | |
*** Quits: Al_Chapone (~chatzilla@ATuileries-151-1-60-168.w83-202.abo.wanadoo.fr) (Ping timeout: 265 seconds) | 11:31 | |
*** Joins: Al_Chapone (~chatzilla@ATuileries-151-1-60-168.w83-202.abo.wanadoo.fr) | 11:34 | |
*** Quits: giallu (~giallu@fedora/giallu) (Ping timeout: 245 seconds) | 11:43 | |
*** Quits: roentgen (~arthur@miranda/user/roentgen) (Read error: Operation timed out) | 11:56 | |
*** Joins: roentgen (~arthur@miranda/user/roentgen) | 12:15 | |
*** Joins: Github (~Github@sh1-ext.rs.github.com) | 12:30 | |
Github | mantisbt: master Damien Regad * 1aa1178 (3 files in 2 dirs): Fix #11351: Do not delete email or realname when editing user with LDAP ... | 12:30 |
Github | mantisbt: master David Hicks * c896125 (1 files in 1 dirs): Fix #12474: bug_report XSS issue when report_stay=1 ... | 12:30 |
Github | mantisbt: master David Hicks * 71ad8c6 (4 files in 1 dirs): Fix #11351: Real name and email should not be updated via GPC (LDAP) ... | 12:30 |
Github | mantisbt: master Gulacsi Tamas * 0ed2472 (1 files in 1 dirs): fix graphiz_api indentation and syntax error ... | 12:30 |
Github | mantisbt: master Sergio Del Franco * ee1371d (1 files in 1 dirs): Fix #12061: Status percentage bar should check for private bugs ... | 12:30 |
Github | mantisbt: master commits 9a95994...ee1371d - http://bit.ly/btyVFQ | 12:30 |
*** Parts: Github (~Github@sh1-ext.rs.github.com) | 12:30 | |
*** Joins: Github (~Github@sh1-ext.rs.github.com) | 12:30 | |
Github | mantisbt: master-1.2.x Damien Regad * 99e7eed (3 files in 2 dirs): Fix #11351: Do not delete email or realname when editing user with LDAP ... | 12:30 |
Github | mantisbt: master-1.2.x David Hicks * da68145 (1 files in 1 dirs): Fix #12474: bug_report XSS issue when report_stay=1 ... | 12:30 |
Github | mantisbt: master-1.2.x David Hicks * 7672ca3 (4 files in 1 dirs): Fix #11351: Real name and email should not be updated via GPC (LDAP) ... | 12:30 |
Github | mantisbt: master-1.2.x David Hicks * 5f24068 (1 files in 1 dirs): Issue #11351: Fix variable names for $t_email ... | 12:30 |
Github | mantisbt: master-1.2.x Paul * 76c9a79 (1 files in 1 dirs): Following XSS changes, don't double encode | 12:30 |
Github | mantisbt: master-1.2.x Sergio Del Franco * c783a40 (1 files in 1 dirs): Fix #12061: Status percentage bar should check for private bugs ... | 12:30 |
Github | mantisbt: master-1.2.x commits 6172ca3...c783a40 - http://bit.ly/bNOnVV | 12:30 |
*** Parts: Github (~Github@sh1-ext.rs.github.com) | 12:30 | |
*** Quits: Al_Chapone (~chatzilla@ATuileries-151-1-60-168.w83-202.abo.wanadoo.fr) (Quit: ChatZilla 0.9.86 [Firefox 3.6.11/20101012113537]) | 12:31 | |
*** Quits: micahg (~micah@ubuntu/member/micahg) (Ping timeout: 252 seconds) | 12:43 | |
*** Quits: rolfkleef (~rolf@82-204-82-162.fttx.bbeyond.nl) (Quit: Leaving.) | 13:02 | |
*** Joins: rolfkleef (~rolf@82-204-82-162.fttx.bbeyond.nl) | 13:03 | |
*** Quits: rolfkleef (~rolf@82-204-82-162.fttx.bbeyond.nl) (Client Quit) | 13:03 | |
*** Joins: moto-moi (~hylke@cara.xs4all.nl) | 13:23 | |
*** Joins: micahg (~micah@ubuntu/member/micahg) | 13:42 | |
*** Quits: roentgen (~arthur@miranda/user/roentgen) (Remote host closed the connection) | 14:39 | |
*** Quits: biglesiasjr (~bill@ool-182cba80.dyn.optonline.net) (Quit: Leaving.) | 15:17 | |
*** Joins: biglesiasjr (~bill@ool-182cba80.dyn.optonline.net) | 15:19 | |
*** Joins: siebrand (~beis@12.50.119.130) | 15:33 | |
*** Joins: rolfkleef (~rolf@urtica.xs4all.nl) | 15:36 | |
*** Joins: paulr (~IceChat09@2001:470:9310:aaaa:bc25:d7b5:e02a:de61) | 15:50 | |
paulr | oo | 15:50 |
*** Joins: roentgen (~arthur@miranda/user/roentgen) | 16:03 | |
*** Quits: paulr (~IceChat09@2001:470:9310:aaaa:bc25:d7b5:e02a:de61) (Quit: Don't push the red button!) | 16:35 | |
*** Quits: micahg (~micah@ubuntu/member/micahg) (Ping timeout: 276 seconds) | 17:04 | |
*** Quits: daryn (~daryn@h158.249.190.173.static.ip.windstream.net) (Quit: Ex-Chat) | 17:48 | |
*** Quits: moto-moi (~hylke@cara.xs4all.nl) (Ping timeout: 240 seconds) | 18:17 | |
*** Joins: micahg (~micah@ubuntu/member/micahg) | 18:26 | |
*** Quits: micahg (~micah@ubuntu/member/micahg) (Remote host closed the connection) | 18:28 | |
*** Joins: micahg (~micah@ubuntu/member/micahg) | 18:35 | |
*** Quits: micahg (~micah@ubuntu/member/micahg) (Ping timeout: 245 seconds) | 18:55 | |
*** Joins: paulr (~IceChat09@2001:470:9310:aaaa:bc25:d7b5:e02a:de61) | 19:06 | |
* paulr yawns | 19:06 | |
*** Quits: siebrand (~beis@12.50.119.130) () | 19:09 | |
*** Quits: paulr (~IceChat09@2001:470:9310:aaaa:bc25:d7b5:e02a:de61) (Quit: Do fish get thirsty?) | 19:38 | |
*** Quits: scribe9343423 (~scribe934@static.96.23.63.178.clients.your-server.de) (Remote host closed the connection) | 20:00 | |
*** Joins: scribe9343423 (~scribe934@static.96.23.63.178.clients.your-server.de) | 20:00 | |
*** Quits: rolfkleef (~rolf@urtica.xs4all.nl) (Quit: Leaving.) | 20:03 | |
*** Quits: biglesiasjr (~bill@ool-182cba80.dyn.optonline.net) (Quit: Leaving.) | 20:11 | |
*** Joins: djSupport_ (~djsupport@188-221-240-190.zone12.bethere.co.uk) | 21:28 | |
*** Quits: djSupport (~djsupport@188-221-240-190.zone12.bethere.co.uk) (Ping timeout: 240 seconds) | 21:30 | |
*** Joins: djSupport (~djsupport@188-221-240-190.zone12.bethere.co.uk) | 23:32 | |
*** Quits: djSupport_ (~djsupport@188-221-240-190.zone12.bethere.co.uk) (Ping timeout: 245 seconds) | 23:34 |
Generated by irclog2html.py 2.9.2 by Marius Gedminas - find it at mg.pov.lt!