| changeset | 4184173d364f |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | bug: make web page follow login_empty_passwords setting. remove the required attribute from password input in the the html templates if login_empty_passwords is enabled in config.ini. Also document in upgrading.txt. |
| files |
| changeset | 15a92b0a9b79 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | fix: make user_src_input generate valid javascript user_src_input used to generate False if edit_ok == False in this statement: tal:attributes="onblur python:edit_ok and 'split_name(this)'; but False isn't a boolean in javascript, so it throws an error in the console. Changed to use: tal:attributes="onblur python:'split_name(this)' if edit_ok else ''; which generates an empty onblur if the field is not editable. |
| files |
| changeset | 4ac0bbb3e440 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | bug(security): CVE-2025-53865 - XSS bug Extensive fixes in devel, responsive templates known to be exploitable. Similar constructs in classic and minimal templates not known to be exploitable, but changed anyway. doc/upgrading.txt: Reformat to 66 characters. Update with assigned CVE number. Add section on fixing tal:replace with unsafe data. Document analysis and assumptions in comment in file. doc/security.txt: Update with CVE number. |
| files |
| changeset | 2bf0c4e7795e |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | fix: issue2551390 - Replace text input/calendar popup with native date input Docs, code and test changes for the changeover to a native date element. See issue for details. |
| files |
| changeset | 0e382e97f0e3 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | fix: disable spellchecking for password fields Some browser can send password to a server for spellchecking. This gives the browser a strong hint that they should not spellcheck a password. Since a Password is not supposed to be a real word in any language, spellchecking is worthless. |
| files |
| changeset | a27f30709d46 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | fix: duplicate password id generated for user.item.html Fix the user_confirm_input macro at the end of html/page.html to modify the id so it doesn't duplicate the one used for the regular password. |
| files |
| changeset | d067b089b90b |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Make username/password required in login form On login form, require both password and login name. Neither can be empty. Addeing required to both input field will invoke browser validation (where available) indicating a problem when logging in. |
| files |
| changeset | e2378b6afdb5 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | Fix issue2551041 - change permission check from "Create User" to "Register User" in page.html for the responsive and devel templates. (reporter Cédric Krier) |
| files |
| changeset | 4a157824f933 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | changes to try to deploy anti-csrf defense to other templates. |
| files |
| changeset | 882fa4d9bead |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | issue2550795: @dispname query args in page.html search links not valid html. Some queries with names that include spaces are not properly url encoded/quoted. I.E. a space should be replaced with %20. Fixes to allow a url_query method to be applied to HTMLStringProperty to properly quote string values passed as part of a url. |
| files |
| changeset | 602d544e3a93 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | fixing some mismatched patches/patch references that I borked in a prior checkin. Patch support was not and still is not working. But at least this tracker runs without errors with demo.py -t devel, just missing features. |
| files |
| changeset | ce5512002629 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | merge from upstream |
| files |
| changeset | 85eee1f236b2 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | I had an incorrect fix for issue2550601. Changed schema to define class patches not patch. Changed commented out patches section in bug.item.html to use patches-1 an not patch-1 as a result of schema changes. The show open Milestones link had a leak of the @group value. If you clicked on show open tasks or show open bugs they group by priority. The url being formed for show open milestones was inheriting the @group if you were on an index page for bugs or milestones. Explicit set the @group to status (which a milestone does have) prevents the @group=priority from being applied to a milestone index page which results in a red error banner stating priority is an invalid param for milestones. ./demo.py -t devel now runs without obvious breakage. |
| files |
| changeset | 894aa07be6cb |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | John Rouillard <rouilj@ieee.org> |
| description | issue2550785: Using login from search (or logout) fails. when logging in from a search page or after a logout it fails with an error. The fix also keeps the user on the same page they started from (e.g. search results) before the login. There are two parts to this: 1) changes to the templates to properly define the __came_from form element. 2) code changes to the LoginAction code in roundup/cgi/actions.py. New test code added. Needed some additional functions from urllib so urllib_.py got a change. |
| files |
| changeset | ca692423e401 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Ralf Schlatterbeck <rsc@runtux.com> |
| description | Different approach to fix XSS in issue2550817 Encapsulate the error/ok message append method as add_ok_message and add_error_message. The new approach escapes the messages when appending -- at a point in the code where we still know where the message comes from. Escaping is the default but can bei turned off. This also fixes issue2550836 where certain messages may contain links. Another advantage of the new fix is that users don't need to change installed trackers and are secure by default. |
| files |
| changeset | 24b8011cd2dc |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Ralf Schlatterbeck <rsc@runtux.com> |
| description | Fix XSS in issue2550817 Note that the code that triggers that particular bug is no longer in roundup core. But the change to the templates we suggest is a *lot* safer as it always escapes the error and ok messages now. If you are upgrading: you *MUST* read doc/upgrading.txt and do the necessary changes to your templates, the escaping now happens in the template and not in the roundup code. So if you don't make the necessary changes *you are vulnerable*. |
| files |
| changeset | 9d5825bf0b2d |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Ralf Schlatterbeck <rsc@runtux.com> |
| description | Nicer display of multi-line error messages. |
| files |
| changeset | 97b6ff11571b |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Stefan Seefeld <stefan@seefeld.name> |
| description | Fix keyword expression editor for 'devel' tracker template. |
| files |
| changeset | f1fe6fd0aa61 |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Bernhard Reiter <Bernhard.Reiter@intevation.de> |
| description | Multilinks can be filtered by combining elements with AND, OR and NOT now. A javascript gui was added for "keywords", see issue2550648. Developed by Sascha Teichmann; funded by Intevation. (Bernhard Reiter) |
| files |
| changeset | b419f29b1e2f |
|---|---|
| branch | |
| bookmark | |
| tag | |
| user | Stefan Seefeld <stefan@seefeld.name> |
| description | Add new tracker template. |
| files |
| changeset | e4a166b5ac2d |
|---|---|
| branch | gsoc-2009 |
| bookmark | |
| tag | |
| user | Stefan Seefeld <stefan@seefeld.name> |
| description | Fix validity issue. |
| files |
| changeset | 115e9883311e |
|---|---|
| branch | gsoc-2009 |
| bookmark | |
| tag | |
| user | Stefan Seefeld <stefan@seefeld.name> |
| description | Add new tracker template sandbox. |
| files |