Tuesday, 2010-12-14

*** Joins: dhx1 (~anonymous@c122-107-170-247.eburwd5.vic.optusnet.com.au)		00:00
*** Joins: scribe9343423 (~scribe934@static.96.23.63.178.clients.your-server.de)		00:00
*** Joins: iip2 (~iip2@2a01:e35:2ef3:b360::f4:9e)		00:00
*** Joins: dagb (~dagb@91.84-48-174.nextgentel.com)		00:00
*** Joins: killefiz (~sven@fedora/pdpc.base.killefiz)		00:00
*** Joins: Ragnor (~Ragnor@dslb-188-100-045-138.pools.arcor-ip.net)		00:00
*** Joins: mellen (~thansen@x1-6-00-22-02-00-0c-40.k1109.webspeed.dk)		00:00
*** Joins: CIA-28 (~CIA@208.69.182.149)		00:00
*** Joins: tavasti (~tavasti@ov1.tavasti.fi)		00:00
*** Joins: webnom (~Adium@ip68-6-124-216.sb.sd.cox.net)		01:02
*** Quits: micahg (~micah@ubuntu/member/micahg) (Ping timeout: 255 seconds)		01:03
webnom	I have a MantisBT question. Am I in the right spot?	01:04
*** Joins: micahg (~micah@ubuntu/member/micahg)		01:06
*** Quits: Ragnor (~Ragnor@dslb-188-100-045-138.pools.arcor-ip.net) (Disconnected by services)		01:07
*** Joins: Ragnor (~Ragnor@dslb-188-100-045-138.pools.arcor-ip.net)		01:07
*** Quits: killefiz (~sven@fedora/pdpc.base.killefiz) (.net .split)		01:10
*** Joins: killefiz (~sven@fedora/pdpc.base.killefiz)		01:10
*** Quits: mellen (~thansen@x1-6-00-22-02-00-0c-40.k1109.webspeed.dk) (Ping timeout: 240 seconds)		01:13
*** Joins: mellen (~thansen@x1-6-00-22-02-00-0c-40.k1109.webspeed.dk)		01:14
*** Quits: micahg (~micah@ubuntu/member/micahg) (Quit: Leaving.)		01:40
*** Joins: micahg (~micah@ubuntu/member/micahg)		01:42
*** Quits: giallu (~giallu@fedora/giallu) (Ping timeout: 245 seconds)		01:51
*** Joins: siebrand (~beis@535392CA.cm-6-4c.dynamic.ziggo.nl)		02:23
*** Joins: Cupertino (~Cupez@unaffiliated/cupertino)		02:24
*** Quits: siebrand (~beis@535392CA.cm-6-4c.dynamic.ziggo.nl) (Ping timeout: 250 seconds)		02:32
*** Joins: djSupport (~djsupport@188-221-240-190.zone12.bethere.co.uk)		02:37
*** Joins: giallu (~giallu@fedora/giallu)		02:38
*** Joins: kirillka (~Miranda@195.242.142.17)		02:43
*** Quits: webnom (~Adium@ip68-6-124-216.sb.sd.cox.net) (Quit: Leaving.)		02:45
CIA-28	Mantisbt: vboctor master-1.2.x * rc6295994a062 /admin/upgrade_unattended.php: Fix #12607: LFI/FD and XSS in the upgrade_unattended.php	03:01
CIA-28	Mantisbt: vboctor * r2af6e8ddc46e /admin/upgrade_unattended.php: Fix #12607: LFI/FD and XSS in the upgrade_unattended.php	03:01
*** Quits: kirillka (~Miranda@195.242.142.17) (Read error: Connection reset by peer)		03:14
*** Joins: kirillka (~Miranda@195.242.142.17)		03:15
CIA-28	Mantisbt: vboctor master-1.2.x * r1efe5be6c7a5 /admin/upgrade_unattended.php: Fix #12607: LFI/FD and XSS in the upgrade_unattended.php - part 2	03:25
CIA-28	Mantisbt: vboctor * r184a0f4a06e9 /admin/upgrade_unattended.php: Fix #12607: LFI/FD and XSS in the upgrade_unattended.php - part 2	03:25
dhx1	nuclear_eclipse: ping	03:41
dhx1	giallu: ping	03:43
giallu	pong	03:43
giallu	uhm. upgrade_unattended...	03:43
giallu	I thought it was not functional since a good time	03:44
dhx1	giallu: you don't happen to know anyone on the RH/Fedora security teams that could assign a CVE?	03:44
dhx1	yeah I have no idea what that file does	03:44
dhx1	it's low impact anyway because we throw up warnings if a user leaves the /admin/ directory in place	03:45
giallu	dhx1, it was an attempt at a shell script to perform the upgrade without user intervention	03:45
giallu	to be used in distro packages upgrades, eventually	03:45
giallu	anyway, I think you make a report in bugzilla, mark it "security" and let them handle it	03:46
*** Quits: tavasti (~tavasti@ov1.tavasti.fi) (Ping timeout: 272 seconds)		03:46
dhx1	giallu: it looks like it is far from accomplishing those goals... it uses gpc_ functions that aren't going to work in PHP CLI mode	03:46
giallu	uhm	03:47
giallu	then my memory fails	03:47
dhx1	as $_POST and $_GET are undefined in that situation :)	03:47
dhx1	I think you're close... it is outputting plain text instead of HTML	03:47
*** Joins: tavasti (~tavasti@ov1.tavasti.fi)		03:53
*** Quits: tavasti (~tavasti@ov1.tavasti.fi) (Max SendQ exceeded)		03:53
*** Joins: tavasti (~tavasti@ov1.tavasti.fi)		03:54
*** Quits: tavasti (~tavasti@ov1.tavasti.fi) (Max SendQ exceeded)		03:54
*** Quits: CIA-28 (~CIA@208.69.182.149) (Ping timeout: 272 seconds)		03:56
*** Joins: tavasti (~tavasti@ov1.tavasti.fi)		03:57
*** Joins: CIA-15 (~CIA@208.69.182.149)		03:57
*** Joins: siebrand (~beis@535392CA.cm-6-4c.dynamic.ziggo.nl)		03:57
dhx1	giallu: I don't think those bugs actually exist from my inspections so far	04:25
dhx1	giallu: it could be someone running an old version of ADOdb that has security flaws within the Connect function that takes the db_type parameter	04:25
*** Quits: djSupport (~djsupport@188-221-240-190.zone12.bethere.co.uk) (Read error: Connection reset by peer)		04:36
*** Quits: siebrand (~beis@535392CA.cm-6-4c.dynamic.ziggo.nl) ()		04:49
*** Joins: Al_Chapone (~chatzilla@ATuileries-153-1-77-170.w83-202.abo.wanadoo.fr)		04:58
*** Joins: paulr (~a@212.85.5.19)		06:00
*** Joins: Github (~Github@sh1-ext.rs.github.com)		06:30
Github	mantisbt: master Victor Boctor * 2af6e8d (1 files in 1 dirs): Fix #12607: LFI/FD and XSS in the upgrade_unattended.php	06:30
Github	mantisbt: master Victor Boctor * 184a0f4 (1 files in 1 dirs): Fix #12607: LFI/FD and XSS in the upgrade_unattended.php - part 2	06:30
Github	mantisbt: master commits 2a7fe6d...184a0f4 - http://bit.ly/f6WDTe	06:30
*** Parts: Github (~Github@sh1-ext.rs.github.com)		06:30
*** Joins: Github (~Github@sh1-ext.rs.github.com)		06:30
Github	mantisbt: master-1.2.x Victor Boctor * c629599 (1 files in 1 dirs): Fix #12607: LFI/FD and XSS in the upgrade_unattended.php	06:30
Github	mantisbt: master-1.2.x Victor Boctor * 1efe5be (1 files in 1 dirs): Fix #12607: LFI/FD and XSS in the upgrade_unattended.php - part 2	06:30
Github	mantisbt: master-1.2.x commits 93b32ea...1efe5be - http://bit.ly/eoJMds	06:30
*** Parts: Github (~Github@sh1-ext.rs.github.com)		06:30
*** Quits: Al_Chapone (~chatzilla@ATuileries-153-1-77-170.w83-202.abo.wanadoo.fr) (Ping timeout: 272 seconds)		06:56
*** Joins: Al_Chapone (~chatzilla@ATuileries-153-1-77-170.w83-202.abo.wanadoo.fr)		08:01
*** Joins: feathersanddown (~feathersa@200.111.27.196)		09:25
feathersanddown	Hi people, i want to know what means 'categories' in a project	09:26
feathersanddown	http://www.mantisbt.org/wiki/doku.php/mantisbt:global_categories_requirements <-- still can't understand that	09:26
*** Quits: tsnfoo (~tsnfoo@ws-intelimac3.test.denison.edu) (Quit: tsnfoo)		09:31
*** Quits: kirillka (~Miranda@195.242.142.17) (Quit: kirillka)		10:13
*** Quits: Cupertino (~Cupez@unaffiliated/cupertino) (Quit: I give up...)		11:00
*** Joins: Al_Chapone_ (~chatzilla@ATuileries-153-1-77-170.w83-202.abo.wanadoo.fr)		11:01
*** Quits: Al_Chapone (~chatzilla@ATuileries-153-1-77-170.w83-202.abo.wanadoo.fr) (Ping timeout: 240 seconds)		11:03
*** Al_Chapone_ is now known as Al_Chapone		11:03
*** Joins: killefiz_ (~sven@fedora/pdpc.base.killefiz)		11:18
*** Quits: killefiz (~sven@fedora/pdpc.base.killefiz) (.net .split)		11:23
*** killefiz_ is now known as killefiz		11:31
*** Joins: MrGlass (~mrglass@cpe-66-108-105-205.nyc.res.rr.com)		11:34
MrGlass	hi. i am trying to migrate all my companies stuff to a VPS. we are using mantis for bug tracking. I copied over the install directory, migrated my database, and edited config_inc.php to reflect my new DB name, user, and pw.	11:36
MrGlass	i keep getting db fail errors, saying access denied	11:37
*** Parts: MrGlass (~mrglass@cpe-66-108-105-205.nyc.res.rr.com)		11:42
*** Quits: paulr (~a@212.85.5.19) ()		11:53
*** Joins: siebrand (~beis@535392CA.cm-6-4c.dynamic.ziggo.nl)		12:10
*** Quits: Al_Chapone (~chatzilla@ATuileries-153-1-77-170.w83-202.abo.wanadoo.fr) (Quit: ChatZilla 0.9.86 [Firefox 3.6.13/20101203075014])		12:15
*** Quits: giallu (~giallu@fedora/giallu) (Ping timeout: 272 seconds)		12:16
*** Joins: tsnfoo (~tsnfoo@ws-intelimac3.test.denison.edu)		12:16
*** Joins: moto-moi (~hylke@2001:888:13e4:0:21f:e2ff:fe0c:ce28)		12:38
*** Quits: feathersanddown (~feathersa@200.111.27.196) (Remote host closed the connection)		12:44
*** Joins: giallu (~giallu@fedora/giallu)		13:21
*** Joins: djSupport (~djsupport@188-221-240-190.zone12.bethere.co.uk)		13:27
*** Quits: micahg (~micah@ubuntu/member/micahg) (Ping timeout: 265 seconds)		13:43
*** Quits: djSupport (~djsupport@188-221-240-190.zone12.bethere.co.uk) (Remote host closed the connection)		16:01
*** Joins: micahg (~micah@ubuntu/member/micahg)		16:54
*** Joins: LiquidWorm (~jox@92.53.11.102)		17:02
dhx1	nuclear_eclipse: ping	17:34
nuclear_eclipse	hi dhx1	17:34
dhx1	nuclear_eclipse: can we roll out a 1.2.4 tarball ASAP? :)	17:35
nuclear_eclipse	zounds, I probably meant to do that a few weeks ago, eh?	17:35
dhx1	nuclear_eclipse: well the reason for me asking is due to a fairly major security problem (which you probably know about from the emails I've sent)	17:36
nuclear_eclipse	oh, the one Victor came back from the dead to commit fixes for?	17:36
dhx1	yep hehe :)	17:36
nuclear_eclipse	yeah, if you can put together a summary of the security problem/fix for the release notes, I'll try to get that together tonight or tomorrow	17:37
nuclear_eclipse	I haven't actually read any of the emails yet	17:37
nuclear_eclipse	and it's dinner time now...	17:37
dhx1	nuclear_eclipse: ok I'll send you change notes ASAP	17:37
dhx1	nuclear_eclipse: thanks :)	17:37
nuclear_eclipse	cheers	17:37
dhx1	nuclear_eclipse: do you use nginx by any chance?	17:39
*** Quits: moto-moi (~hylke@2001:888:13e4:0:21f:e2ff:fe0c:ce28) (Read error: Operation timed out)		18:21
CIA-15	Mantisbt: hickseydr * r974e6da4a2f0 /admin/upgrade_unattended.php: Fix #12607: LFI/PD/XSS in upgrade_unattended.php	18:51
CIA-15	Mantisbt: hickseydr master-1.2.x * rd67c4debcacf /admin/upgrade_unattended.php: Fix #12607: LFI/PD/XSS in upgrade_unattended.php	18:51
CIA-15	Mantisbt: hickseydr master-1.1.x * r2641fdc60d20 /admin/upgrade_unattended.php: Fix #12607: LFI/PD/XSS in upgrade_unattended.php	18:58
*** Quits: scribe9343423 (~scribe934@static.96.23.63.178.clients.your-server.de) (Remote host closed the connection)		19:00
*** Joins: scribe9343423 (~scribe934@static.96.23.63.178.clients.your-server.de)		19:00
*** Joins: LiquidWormio (~jox@92.53.11.102)		19:00
*** Quits: LiquidWorm (~jox@92.53.11.102) (Ping timeout: 240 seconds)		19:04
CIA-15	Mantisbt: hickseydr * r065c99c30f69 /doc/INSTALL: Fix #12607: Update installation instructions regarding admin directory	19:07
CIA-15	Mantisbt: hickseydr master-1.2.x * r54aace939c16 /doc/INSTALL: Fix #12607: Update installation instructions regarding admin directory	19:07
dhx1	ugh I screwed that up	19:17
dhx1	schema.php in admin/ is checked by login_page.php :(	19:17
dhx1	wait, not quite... :)	19:19
CIA-15	Mantisbt: hickseydr master-1.2.x * r77de677023ab /login_page.php: Fix #12607: Improve admin directory check on login_page	19:26
CIA-15	Mantisbt: hickseydr * r970630aa8c04 /login_page.php: Fix #12607: Improve admin directory check on login_page	19:26
dhx1	nuclear_eclipse: ready for packaging :)	19:42
CIA-15	Mantisbt: hickseydr master-1.2.x * rd066f095ceab / (core/constant_inc.php doc/RELEASE): Prepare for MantisBT 1.2.4 release	19:42
*** Quits: LiquidWormio (~jox@92.53.11.102) (Ping timeout: 276 seconds)		20:20
*** Joins: LiquidWorm (~jox@92.53.11.102)		20:23
*** Quits: micahg (~micah@ubuntu/member/micahg) (Ping timeout: 240 seconds)		20:36
nuclear_eclipse	dhx1: building the tarballs atm	21:10
nuclear_eclipse	gotta relearn how to upload them...	21:10
LiquidWorm	:)	21:10
LiquidWorm	hi John	21:11
nuclear_eclipse	hello	21:11
LiquidWorm	im Gjoko	21:11
nuclear_eclipse	gotta update the mantisbt.org tracker too	21:11
LiquidWorm	you just do ur thing, and say the word ;)	21:11
nuclear_eclipse	LiquidWorm: it'll probably be about 20 minutes or so before I get everything ready and can make the release announcements	21:12
LiquidWorm	yeah not a problem	21:13
nuclear_eclipse	hmm, it seems that sf.net ha s a new file upload system	21:16
dhx1	nuclear_eclipse: I think it has a new file upload system every time we make a new release? :p	21:20
dhx1	nuclear_eclipse: we should remove /admin/ from the server	21:21
nuclear_eclipse	dhx1: I thought it was protected by .htaccess...	21:21
dhx1	nuclear_eclipse: nope... :(	21:22
nuclear_eclipse	oops, just realized that I built the tarballs without docbook...	21:22
nuclear_eclipse	sigh	21:22
dhx1	nuclear_eclipse: 1.2.4 will actually throw up a warning if the "admin" directory exists so htaccess/changing permissions on the folder is no longer good enough	21:23
nuclear_eclipse	apparently I didn't have the docbook packages installed on my home machine, and I've been using my server for building the last few sets of tarballs	21:23
dhx1	aha	21:23
nuclear_eclipse	dhx1: umm, doesn't that break the ability to run mantis from a git repo?	21:23
dhx1	nuclear_eclipse: no, it only shows a warning (which can be ignored)	21:24
nuclear_eclipse	oh, ok	21:24
nuclear_eclipse	dhx1: that's the reason the admin folder is still there on the mantisbt.org server, because it's running from a repo clone	21:25
nuclear_eclipse	that way I only have to do `git pull` to bring it up to date	21:25
dhx1	nuclear_eclipse: ah ok, I guess it just needs git pull && rm -R admin	21:25
nuclear_eclipse	dhx1: or just add a .htaccess rule to protect that folder :P	21:26
dhx1	nuclear_eclipse: that'll still show the warning in 1.2.4	21:26
nuclear_eclipse	dhx1: you can turn off the warnings ;)	21:27
nuclear_eclipse	because that's exactly what I've been doing on my own server	21:27
dhx1	nuclear_eclipse: you can turn off CSRF too... :p	21:27
nuclear_eclipse	reuploading....	21:28
dhx1	and actually, you can turn off XSS protection too heh	21:28
dhx1	thanks	21:28
nuclear_eclipse	yeah, but turning off the admin folder warning is not actually a security risk if you're doing something to prevent it from being accessed	21:28
dhx1	at least most of our users won't know how to turn off the warning	21:30
dhx1	I don't see the point in keeping /admin/ anyhow	21:31
dhx1	git pull will replace it	21:31
nuclear_eclipse	dhx1: because it's an extra step that I don't want to rely on people remembering to do :P	21:31
nuclear_eclipse	yay, new tarballs are up	21:32
dhx1	nuclear_eclipse: true...	21:32
nuclear_eclipse	omg, srs?	21:35
nuclear_eclipse	ok, phew	21:36
nuclear_eclipse	I downloaded the .zip from sf.net to test and it was corrupted...	21:37
dhx1	I can confirm the tar.gz is OK	21:37
nuclear_eclipse	had to re-download to get a good copy	21:37
dhx1	but SF is taking a while to distribute it thus it is possible to download partial files at the moment	21:37
dhx1	yep	21:37
nuclear_eclipse	ok, dropping the release announcements	21:37
dhx1	then cough ahem /admin/ on the server :)	21:38
nuclear_eclipse	that's still my favorite command	21:39
dhx1	http://www.mantisbt.org/bugs/admin/test_langs.php throws errors before "access denied"... great script	21:39
nuclear_eclipse	root@mantis:/var/www/html/bugs# rm -r admin/	21:42
nuclear_eclipse	root@mantis:/var/www/html/bugs#	21:42
nuclear_eclipse	dhx1: happy now?	21:42
dhx1	:)	21:42
dhx1	I don't trust anything in admin/ and scripts/	21:42
dhx1	legacy cruft... :)	21:42
nuclear_eclipse	anywho, bedtime for me	21:43
dhx1	thanks for pushing the tarballs	21:43
dhx1	the announcement ML has a post too?	21:43
nuclear_eclipse	yeah, but that one always takes forever to propogate	21:44
nuclear_eclipse	I assume it's a giant list of subscribers	21:44
nuclear_eclipse	oh, just got it :)	21:44
nuclear_eclipse	w2g sf.net, everything actually went smoothly for a change	21:44
dhx1	haha	21:45
nuclear_eclipse	and their new file management interface is actually simple and easy to use	21:45
dhx1	thanks :)	21:45
CIA-15	Mantisbt: hickseydr * r99deb817006f /admin/test_langs.php: Move admin access check to top of test_langs script	21:45
CIA-15	Mantisbt: hickseydr master-1.2.x * r51d4164416fe /admin/test_langs.php: Move admin access check to top of test_langs script	21:45
nuclear_eclipse	/smack dhx1	21:45
dhx1	hehe, fast response or what? :)	21:45
nuclear_eclipse	great, now we need to release 1.2.5... :P	21:45
dhx1	it's not a problem because people shouldn't have admin/ on live sites :)	21:46
dhx1	+ the information that could be leaked isn't very sensitive	21:46
nuclear_eclipse	;)	21:46
dhx1	LiquidWorm: we're ready for the advisories now :)	21:46
dhx1	nuclear_eclipse: thanks for pushing this tarball through	21:47
nuclear_eclipse	np	21:47
LiquidWorm	thanks	21:47
LiquidWorm	:D	21:47
dhx1	one day I have to set myself up with SF access, etc	21:47
LiquidWorm	good job	21:47
LiquidWorm	is http://www.mantisbt.org/bugs/view.php?id=12607 viewable now ?	21:47
dhx1	clickety, now it is	21:48
*** Quits: siebrand (~beis@535392CA.cm-6-4c.dynamic.ziggo.nl) (Ping timeout: 276 seconds)		21:48
LiquidWorm	oh my	21:50
*** Joins: alcidae (~ferris@c-68-38-222-142.hsd1.nj.comcast.net)		21:54
alcidae	Hello, I have a couple of quick questions if someone would be so kind. 1) Can you set the minimum threshold for input of a builtin field like Priority to someone higher than Reporter. I know you can do it for custom fields but don't see where to do it for builtins.	21:57
alcidae	and 2) Can you set a default assignee per category for each project so it does not always need to be manually assigned? Thanks in advance.	21:58
nuclear_eclipse	alcidae: you can't change thresholds for most of the builtin fields	22:00
nuclear_eclipse	you can assign a user to each category though, and it will auto-assign the issue to that user if the reporter has not already assigned someone to the issue	22:01
LiquidWorm	it is done :)	22:01
LiquidWorm	thanks	22:01
dhx1	LiquidWorm: bugtraq?	22:02
alcidae	nuclear_eclipse: assign a user to a category? OK.	22:02
LiquidWorm	yes, bugtraq2@ :)	22:03
dhx1	LiquidWorm: cheers :)	22:03
LiquidWorm	cheers!	22:04
alcidae	nuclear_eclipse: I was drawing the same conclusion about thresholds for builtins. As far as assigning a category, just to clarify : if a reporter does not assign then it will be automatically assigned to the user for that category ?	22:08
nuclear_eclipse	yes	22:09
alcidae	nuclear_eclipse: Great. One last question, will the assignee always get an email or can the assignee turn this off through their own profile (I'd rather they be unable to disable this)?	22:13
nuclear_eclipse	tbh I'm not 100% sure	22:14
nuclear_eclipse	email notification seems to be one of the iffy portions of mantisbt	22:14
*** Quits: LiquidWorm (~jox@92.53.11.102) (Read error: Connection reset by peer)		22:15
*** Joins: LiquidWorm (~jox@92.53.11.102)		22:22
alcidae	nuclear_eclipse: I think that I will have to go test with a (test) developer account to see what can be turned off when $g_default_email_on_assigned = ON;	22:28
*** Joins: micahg (~micah@ubuntu/member/micahg)		22:41
*** Quits: LiquidWorm (~jox@92.53.11.102) ()		22:46
*** Parts: alcidae (~ferris@c-68-38-222-142.hsd1.nj.comcast.net)		22:47
*** Quits: micahg (~micah@ubuntu/member/micahg) (Ping timeout: 255 seconds)		22:59
dhx1	nuclear_eclipse: channel title? :)	23:01
*** Joins: micahg (~micah@ubuntu/member/micahg)		23:36

Generated by irclog2html.py 2.9.2 by Marius Gedminas - find it at mg.pov.lt!