Roland Mas [Wed, 17 Apr 2013 09:53:15 +0000 (11:53 +0200)]
Handle PHP 5.1's restricted setcookie()
Roland Mas [Wed, 17 Apr 2013 09:37:13 +0000 (11:37 +0200)]
Reinstate 'invalid password' message
Franck Villaume [Mon, 15 Apr 2013 21:41:23 +0000 (23:41 +0200)]
fix #428: latest-zip does not increment download stats
Franck Villaume [Mon, 15 Apr 2013 20:00:06 +0000 (22:00 +0200)]
apply #533: improve activity display : final merge
Franck Villaume [Sun, 14 Apr 2013 18:14:32 +0000 (20:14 +0200)]
partial apply #533: improve the display
Franck Villaume [Sun, 14 Apr 2013 17:58:18 +0000 (19:58 +0200)]
apply #543: fix licence, fix rss display
Franck Villaume [Sat, 6 Apr 2013 18:39:17 +0000 (20:39 +0200)]
fix #447: setStatus does not check the correct user for permission, add missing default value in config files
Thorsten Glaser [Mon, 25 Mar 2013 16:15:31 +0000 (17:15 +0100)]
(mostly) Merge branch 'Branch_5_1' into Branch_5_2
Conflicts:
src/common/include/session.php
⇒ someone *MUST* look at this, I think this couldn’t really work
Thorsten Glaser [Mon, 25 Mar 2013 15:57:19 +0000 (16:57 +0100)]
Merge branch 'Branch_5_2' of git+ssh://scm.fusionforge.org//var/lib/gforge/chroot/scmrepos/git/fusionforge/fusionforge into Branch_5_2
Thorsten Glaser [Mon, 25 Mar 2013 14:30:54 +0000 (15:30 +0100)]
oops, use raw octet HMAC output (for size reasons)
this does work as tested on CentOS 5 (php-cli-5.1.6-39.el5_8)…
Thorsten Glaser [Mon, 25 Mar 2013 14:09:58 +0000 (15:09 +0100)]
remove commented-out EvolvisForge compat stuff
Thorsten Glaser [Mon, 25 Mar 2013 13:50:29 +0000 (14:50 +0100)]
SECURITY: use HMAC-SHA256 (for now) to protect the session cookie
NOTE: after installing this patch, it is *vital* to change your
forge_get_config('session_key') because you *MUST* assume that
the old value is insecure and/or has been leaked!
Thorsten Glaser [Mon, 25 Mar 2013 13:08:54 +0000 (14:08 +0100)]
make this closer to the code in EvolvisForge (should be no change)
everything that would change FF behaviour is commented out atm
Thorsten Glaser [Mon, 25 Mar 2013 13:01:43 +0000 (14:01 +0100)]
merge from Evolvis: for session_set_admin use the lowest-uid one
instead of impersonating a random person who’s got forge admin rights
Thorsten Glaser [Mon, 25 Mar 2013 13:01:05 +0000 (14:01 +0100)]
merge from Evolvis: better session_redirect()
Thorsten Glaser [Mon, 25 Mar 2013 12:50:18 +0000 (13:50 +0100)]
emit a newline after the warning
Thorsten Glaser [Mon, 25 Mar 2013 12:36:59 +0000 (13:36 +0100)]
merge from Evolvis: group home permission changes
• fallback if /usr/share/gforge/lib/private_default_page.php does
not exist
• change index file and incoming directory to be group-writable
(with sgid bit set) by default, to be actually useful
Thorsten Glaser [Mon, 25 Mar 2013 12:36:15 +0000 (13:36 +0100)]
merge from Evolvis: some more variables and compat functions
Thorsten Glaser [Mon, 25 Mar 2013 12:30:58 +0000 (13:30 +0100)]
SudoEffectiveUser needs unix_name, not uid, of the target
unbreaks group homedir creation for the n-th time
Thorsten Glaser [Mon, 25 Mar 2013 12:11:56 +0000 (13:11 +0100)]
revert most of the CVE patch and “do it right”
directly after creating the new group home directory, as root,
there is no race that can appear due to *users* creating stuff
inside, so do not account for it; also make this code legible
Roland Mas [Sun, 24 Mar 2013 13:35:59 +0000 (13:35 +0000)]
Fixed permissions for Git repositories created before anonscm is enabled
Roland Mas [Tue, 19 Mar 2013 13:59:59 +0000 (14:59 +0100)]
Merged from 5.1
Roland Mas [Tue, 19 Mar 2013 13:55:13 +0000 (13:55 +0000)]
Fixed syntax error
Franck Villaume [Mon, 18 Mar 2013 19:17:37 +0000 (20:17 +0100)]
widget: fix survey widget when project does not use survey
Franck Villaume [Sun, 17 Mar 2013 16:36:33 +0000 (17:36 +0100)]
RBAC: fix tracker & task check
Franck Villaume [Sun, 17 Mar 2013 15:37:41 +0000 (16:37 +0100)]
scmsvn: fix svn repo create
Roland Mas [Tue, 12 Mar 2013 12:38:38 +0000 (13:38 +0100)]
Another fix for project creation
Roland Mas [Tue, 12 Mar 2013 10:38:45 +0000 (11:38 +0100)]
Fixed project creation
Franck Villaume [Sun, 10 Mar 2013 12:59:28 +0000 (13:59 +0100)]
tracker: fix redirect when click on admin link
db: fix warning
Franck Villaume [Sat, 9 Mar 2013 18:15:51 +0000 (19:15 +0100)]
fix #497: Number of pending projects miscounted/misleading on site admin tab
Franck Villaume [Sat, 9 Mar 2013 17:48:54 +0000 (18:48 +0100)]
fix #527: unable to delete project when use_forum = no in config.ini
Franck Villaume [Sat, 9 Mar 2013 16:33:56 +0000 (17:33 +0100)]
fix #528: complains about forums when creating mailing-list even if forum tool is deactivated
Franck Villaume [Wed, 6 Mar 2013 19:45:56 +0000 (20:45 +0100)]
docman: fix missing )
Franck Villaume [Wed, 6 Mar 2013 19:45:21 +0000 (20:45 +0100)]
fix scm session rights check and redirect
Thorsten Glaser [Mon, 4 Mar 2013 08:34:37 +0000 (09:34 +0100)]
use correct JSON encoding
Franck Villaume [Sun, 3 Mar 2013 16:31:14 +0000 (17:31 +0100)]
fix copyrights
Franck Villaume [Sun, 3 Mar 2013 16:27:20 +0000 (17:27 +0100)]
fix #546: Protect apostrophe in a directory name in docman, patch from French Ministry of National Education
Thorsten Glaser [Thu, 28 Feb 2013 13:19:24 +0000 (14:19 +0100)]
merge fix from EvolvisForge
revno: 10310
committer: Thorsten Glaser <t.glaser@tarent.de>
branch nick: tarent-5.1
timestamp: Fri 2012-01-20 16:10:48 +0100
message:
fix DTD: accidentally deleted a href too much
Thorsten Glaser [Thu, 28 Feb 2013 13:14:50 +0000 (14:14 +0100)]
move www/DTD/ to common/DTD/ like I did in EvolvisForge
otherwise, this will merge-conflict in git Every. Single. Time. Gah!
Thorsten Glaser [Thu, 28 Feb 2013 12:47:28 +0000 (13:47 +0100)]
bump year
Roland Mas [Wed, 27 Feb 2013 08:52:14 +0000 (09:52 +0100)]
Marked the merge
Roland Mas [Wed, 27 Feb 2013 08:52:01 +0000 (09:52 +0100)]
Merged from 5.1
Roland Mas [Wed, 27 Feb 2013 08:49:33 +0000 (09:49 +0100)]
Marked the merge
Roland Mas [Wed, 27 Feb 2013 08:44:54 +0000 (09:44 +0100)]
Merged from 5.1
Thorsten Glaser [Wed, 27 Feb 2013 08:33:16 +0000 (09:33 +0100)]
use util_randbytes() to get six random bytes
it’s computationally, and on the kernel pool, much cheaper than
openssl_random_pseudo_bytes() which initialises the OpenSSL pool,
which eats more bytes from the kernel pool
Thorsten Glaser [Wed, 27 Feb 2013 08:26:55 +0000 (09:26 +0100)]
use posix_initgroups() to get the user’s group vector
calling 'su' inside createUserRepo() isn’t going to work because
that function is already run with reduced privilegues; instead,
if the old user is root use posix_initgroups() to switch the
group vector to the new user’s and restore root’s later (if the
old user is not root, we have no way to do that anyway as, in
my tests, posix_initgroups() only works if the current EUID is
0); posix_getgroups() can be used to save the old group list,
but there is no posix_setgroups(), so we need to use this way
Roland Mas [Tue, 26 Feb 2013 16:35:35 +0000 (17:35 +0100)]
Fixed logic
Roland Mas [Tue, 26 Feb 2013 16:34:53 +0000 (17:34 +0100)]
Fixed logic
Roland Mas [Tue, 26 Feb 2013 15:52:50 +0000 (16:52 +0100)]
Obtain user's extra groups so as to be able to chgrp
Roland Mas [Tue, 26 Feb 2013 15:48:01 +0000 (16:48 +0100)]
Obtain user's extra groups so as to be able to chgrp
Roland Mas [Tue, 26 Feb 2013 10:55:47 +0000 (11:55 +0100)]
Better integration of nscd in the testsuite
Roland Mas [Tue, 26 Feb 2013 10:00:44 +0000 (11:00 +0100)]
Fixes to chown/chgrp invocations
Thorsten Glaser [Mon, 25 Feb 2013 10:05:14 +0000 (11:05 +0100)]
missing return value in non-void function
Thorsten Glaser [Mon, 25 Feb 2013 09:56:00 +0000 (10:56 +0100)]
I think is_file("$main_repo/HEAD") gives a warning if !is_dir($main_repo)
Thorsten Glaser [Mon, 25 Feb 2013 09:54:54 +0000 (10:54 +0100)]
Merge branch 'Branch_5_1' of git+ssh://scm.fusionforge.org//var/lib/gforge/chroot/scmrepos/git/fusionforge/fusionforge into Branch_5_1
Thorsten Glaser [Mon, 25 Feb 2013 09:53:21 +0000 (10:53 +0100)]
handle case where $main_repo already exists but is no git repo
(there’s still two things: mktemp -d might fail, in which case
we regress to the previous behaviour, and after the check the
$main_repo can come to exist before the mv, with the same outcome,
but since we do check the return value of the mv…)
Roland Mas [Mon, 25 Feb 2013 09:45:41 +0000 (10:45 +0100)]
Fixed syntax of permissions for chmod
Roland Mas [Mon, 25 Feb 2013 09:44:53 +0000 (10:44 +0100)]
Fixed syntax of permissions for chmod
Franck Villaume [Sun, 24 Feb 2013 13:06:25 +0000 (14:06 +0100)]
scmsvn: fix display activity by default
Roland Mas [Sun, 24 Feb 2013 09:35:46 +0000 (10:35 +0100)]
SECURITY: Avoid attacks with symbolic or hard links that could lead to
privilege escalation (CVE-2013-1423). Thanks to Helmut Grohne for the
initial report and help in preparing the fix.
Roland Mas [Sun, 24 Feb 2013 09:35:33 +0000 (10:35 +0100)]
SECURITY: Avoid attacks with symbolic or hard links that could lead to
privilege escalation (CVE-2013-1423). Thanks to Helmut Grohne for the
initial report and help in preparing the fix.
Franck Villaume [Fri, 22 Feb 2013 10:34:04 +0000 (11:34 +0100)]
projects-hierarchy: fix display child project name & do not permit multiple fathers
Franck Villaume [Tue, 19 Feb 2013 18:41:19 +0000 (19:41 +0100)]
Branch_5_2: widgets: fix availability based on patch from French Ministry of education
Roland Mas [Fri, 15 Feb 2013 08:49:13 +0000 (09:49 +0100)]
Refreshed gettext files to update line numbers in es.po
Roland Mas [Fri, 15 Feb 2013 08:47:16 +0000 (09:47 +0100)]
Spanish translation update by Jose Angel Diaz Diaz <joseangel.diaz@cenatic.es>
Thorsten Glaser [Thu, 14 Feb 2013 09:32:08 +0000 (10:32 +0100)]
Merge branch 'Branch_5_1' into Branch_5_2
Conflicts:
src/www/tracker/tracker.php
Roland Mas [Wed, 13 Feb 2013 17:58:10 +0000 (17:58 +0000)]
Fix problem where updating an artifact would disable monitoring of this artifact for some users
Roland Mas [Tue, 12 Feb 2013 15:24:02 +0000 (16:24 +0100)]
Refreshed gettext files
Roland Mas [Tue, 12 Feb 2013 14:57:20 +0000 (15:57 +0100)]
Disable nscd during testsuite on Debian
Franck Villaume [Sun, 10 Feb 2013 10:09:03 +0000 (11:09 +0100)]
docman: fix tree, patch from french ministry of education
Thorsten Glaser [Thu, 7 Feb 2013 17:03:55 +0000 (18:03 +0100)]
unbreak rendering RSS of group news
Olivier Berger [Fri, 19 Oct 2012 20:26:16 +0000 (22:26 +0200)]
Try normalizing to LF for PHP files
Olivier Berger [Fri, 19 Oct 2012 20:22:40 +0000 (22:22 +0200)]
Test removing .php stanzas from .gitattributes
Roland Mas [Mon, 28 Jan 2013 16:09:42 +0000 (17:09 +0100)]
Contentless merge from 5.1
Roland Mas [Mon, 28 Jan 2013 16:06:21 +0000 (17:06 +0100)]
Hand-merge from 5.1: fixes to Unix accounts and Debian-specific script
Roland Mas [Mon, 28 Jan 2013 15:59:15 +0000 (16:59 +0100)]
Cosmetic commit to check whether I can still push to git
Roland Mas [Mon, 28 Jan 2013 15:17:46 +0000 (15:17 +0000)]
Allow planning tasks up to 2038
Thorsten Glaser [Wed, 23 Jan 2013 10:31:18 +0000 (11:31 +0100)]
deleted unix accounts are 'D', not 'N', just like regular statūs
Thorsten Glaser [Wed, 23 Jan 2013 10:16:22 +0000 (11:16 +0100)]
improve compression ratio
Thorsten Glaser [Wed, 23 Jan 2013 10:14:08 +0000 (11:14 +0100)]
SECURITY: do not make homedir archives of deleted users world-readable
Thorsten Glaser [Wed, 23 Jan 2013 10:13:38 +0000 (11:13 +0100)]
make this a bit more legible and fix one case of indentation
Franck Villaume [Sat, 19 Jan 2013 12:34:17 +0000 (13:34 +0100)]
prepare 5.2.1
Franck Villaume [Sat, 19 Jan 2013 12:21:25 +0000 (13:21 +0100)]
prepare 5.1.2
Roland Mas [Thu, 10 Jan 2013 07:55:06 +0000 (08:55 +0100)]
Backport from trunk: deleted reference to buildbot3
Roland Mas [Thu, 10 Jan 2013 07:54:07 +0000 (08:54 +0100)]
Backport from trunk: deleted reference to buildbot3
Thorsten Glaser [Mon, 7 Jan 2013 08:14:42 +0000 (09:14 +0100)]
remove trailing ?>
Roland Mas [Fri, 4 Jan 2013 16:46:07 +0000 (17:46 +0100)]
Added missing functions
Roland Mas [Fri, 4 Jan 2013 16:37:12 +0000 (17:37 +0100)]
Fixed display of related tasks
Roland Mas [Fri, 4 Jan 2013 16:37:12 +0000 (17:37 +0100)]
Fixed display of related tasks
Roland Mas [Fri, 4 Jan 2013 15:10:47 +0000 (15:10 +0000)]
[#522] Patch by Franck Villaume to fix behaviour of mailing lists in Debian
Franck Villaume [Sun, 30 Dec 2012 15:06:26 +0000 (16:06 +0100)]
merge Branch_5_1
Franck Villaume [Sun, 30 Dec 2012 14:52:01 +0000 (15:52 +0100)]
fix path
Thorsten Glaser [Sat, 29 Dec 2012 17:37:08 +0000 (18:37 +0100)]
Merge branch 'Branch_5_1' into Branch_5_2
Thorsten Glaser [Sat, 29 Dec 2012 17:35:58 +0000 (18:35 +0100)]
fix updating and purging svnserve from inetd.conf (also, piuparts)
fun fact of the day: update-inetd --remove does *not* accept a
full ENTRY argument, it only takes the SERVICE
Thorsten Glaser [Sat, 29 Dec 2012 17:26:20 +0000 (18:26 +0100)]
use forge_get_config to get the chroot path
grepping for ^gforge_config= in /etc/gforge/gforge.conf in 4.8
was correct; changing this to /etc/fusionforge/fusionforge.conf
in 5.1 wasn’t as the latter file doesn’t contain this entry, and
we’re using forge_get_config nowadays anyway
also remove errorneously empty inetd.conf lines generated on all
systems that were installed during existence of this bug (like
freewrt.org for example)
Thorsten Glaser [Fri, 21 Dec 2012 16:00:14 +0000 (17:00 +0100)]
Merge branch 'Branch_5_1' into Branch_5_2
Thorsten Glaser [Fri, 21 Dec 2012 15:54:50 +0000 (16:54 +0100)]
add mksh(1) script to make some or all mailing lists private
with remote option ☺
Thorsten Glaser [Mon, 17 Dec 2012 18:02:13 +0000 (19:02 +0100)]
Merge branch 'Branch_5_1' into Branch_5_2
(pretty much automated, untested)
Thorsten Glaser [Mon, 17 Dec 2012 16:23:24 +0000 (17:23 +0100)]
Do not trust SimplePie for purifying HTML
This fixes an injection of invalid XHTML vulnerability which I do
not believe to constitute a user security hole, as SimplePie does
strip <script> tags, in the Codendi RSS widget, cf. #696179
Alain Peyrat [Mon, 3 Dec 2012 19:54:03 +0000 (20:54 +0100)]
Apply [#440] CSS Conflict between ViewVC and FusionForge by Jean-Christophe Masson