View Issue Details

IDProjectCategoryView StatusLast Update
0027284mantisbtplug-inspublic2020-09-25 14:53
Reporterd3vpoo1 Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
PlatformWindowsOSWindowsOS VersionWindows
Target Version2.24.3Fixed in Version2.24.3 
Summary0027284: Priority can override to any positive integer
Description

The priority selection are just 5,4,3,2,1 however in this issue this allows me to add a new priority value

Steps To Reproduce
  • Login as admin account

  • go to manage > manage plugin

  • make sure you install any plugin, update any priority

  • open intercept

  • update it

Request

POST /mantisbt2/manage_plugin_update.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 292
Origin: http://localhost
Connection: close
Referer: http://localhost/mantisbt2/manage_plugin_page.php
Cookie: MANTIS_collapse_settings=|sidebar:0; MANTIS_PROJECT_COOKIE=1; MANTIS_VIEW_ALL_COOKIE=2; PHPSESSID=tg09rel94h819lbrn071r2sqe2; MANTIS_secure_session=0; MANTIS_STRING_COOKIE=7a01c128bae97499b78c1a52329936977c062961f7d9b57cd3d18980fdccc896; MANTIS_BUG_LIST_COOKIE=11%2C10
Upgrade-Insecure-Requests: 1

manage_plugin_update_token=202009134ILfxKUHaW2AQX8cGjxI3vbeLyv9In4C&change_Gravatar=1&priority_Gravatar=4&change_XmlImportExport=1&priority_XmlImportExport=4&change_MantisGraph=1&priority_MantisGraph=5&change_MantisCore=1&change_MantisCoreFormatting=1&priority_MantisCoreFormatting=4294967295

Response

HTTP/1.1 302 Found
Date: Sun, 13 Sep 2020 04:42:46 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.0.2s PHP/7.1.33
X-Powered-By: PHP/7.1.33
Cache-Control: no-store, no-cache, must-revalidate
Last-Modified: Sun, 13 Sep 2020 04:42:46 GMT
Set-Cookie: MANTIS_collapse_settings=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
X-Content-Type-Options: nosniff
Expires: Sun, 13 Sep 2020 04:42:46 GMT
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self'; img-src 'self' 'self' data:
Location: http://localhost/mantisbt2/manage_plugin_page.php
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
  • Refresh the site and you can see a large number render on select
TagsNo tags attached.

Relationships

related to 0024336 closedatrol Plugin priority changed without being changed by user interaction 

Activities

d3vpoo1

d3vpoo1

2020-09-13 00:45

reporter  

override.png (33,411 bytes)   
override.png (33,411 bytes)   
dregad

dregad

2020-09-18 19:09

developer   ~0064447

Bug is confirmed (since release 1.2.0a1); consequences are minor, as the only impact is changing the order in which plugins are registered.

dregad

dregad

2020-09-18 19:16

developer   ~0064448

PR https://github.com/mantisbt/mantisbt/pull/1700

Related Changesets

MantisBT: master-2.24 fe3a91cb

2020-09-18 13:00:24

dregad

Details Diff
Plugin update: validate Priority parameter

Plugin Priority must be a number from 1 to 5. Trigger an error if
the parameter's value is outside of that range.

Fixes 0027284
Affected Issues
0027284
mod - manage_plugin_update.php Diff File

Issue History

Date Modified Username Field Change
2020-09-13 00:45 d3vpoo1 New Issue
2020-09-13 00:45 d3vpoo1 File Added: override.png
2020-09-17 07:21 dregad Status new => acknowledged
2020-09-18 19:09 dregad Assigned To => dregad
2020-09-18 19:09 dregad Status acknowledged => assigned
2020-09-18 19:09 dregad Category ui => plug-ins
2020-09-18 19:09 dregad Product Version 2.24.2 =>
2020-09-18 19:09 dregad Target Version => 2.24.3
2020-09-18 19:09 dregad Steps to Reproduce Updated View Revisions
2020-09-18 19:09 dregad Note Added: 0064447
2020-09-18 19:15 dregad View Status private => public
2020-09-18 19:16 dregad Note Added: 0064448
2020-09-19 16:10 atrol Relationship added related to 0024336
2020-09-25 13:27 dregad Changeset attached => MantisBT master-2.24 fe3a91cb
2020-09-25 13:27 dregad Status assigned => resolved
2020-09-25 13:27 dregad Resolution open => fixed
2020-09-25 13:27 dregad Fixed in Version => 2.24.3
2020-09-25 14:53 dregad Status resolved => closed