All Projects

ID Project Category Task Type Severity Summary Status Opened by Opened Progress
 2437 Flyspray - The bug killer!Backend/CoreBug ReportCritical Spammers are able to bypass disabled user registrations ClosedArthmoor06.08.2017
0%
5 Task Description

Spammers have found a way to bypass the block on user registration and cause entries to be inserted into the registrations table in the database. I have 30+ of them in there right now, all inserted within the last 2 days. I’ve had user registrations disabled for 2 weeks now because of an onslaught of spammers who won’t leave us alone. Flyspray has insufficient safeguards against them so when this happens I have little choice.

I don’t have any idea how, but these entries in the registrations table are resulting in emails being sent out to these accounts that are bouncing because the spammers are on domain blocklists for forging their DNS responses.

Something needs to be done about this, because if they can insert phantom entries into this database table via the code, what else could they be doing that we haven’t spotted yet?

2344Flyspray - The bug killer!NotificationsBug ReportLowAdmins still get noticed for new users even with the op...UnconfirmedArthmoor16.02.2017
50%
6 Task Description

/index.php?do=admin&area=prefs

There’s a checkbox on this menu to toggle whether admins get notices for new user registrations or not. Ours is off, but I’m still getting those notices.

 2331 Flyspray - The bug killer!Backend/CoreBug ReportLow PHP Notice: crypt(): No salt parameter was specified. ClosedArthmoor23.01.2017
0%
Task Description

The complete error message:

PHP Notice: crypt(): No salt parameter was specified. You must use a randomly generated salt and a strong hash function to produce a secure hash. in includes/class.flyspray.php on line 648

This one is probably pretty important since it appears the fall through chain in cryptPassword is only checking for older methods:

  public static function cryptPassword($password)
  {
	global $conf;
	$pwcrypt = strtolower($conf['general']['passwdcrypt']);

	# sha1, md5, sha512 are unsalted, hashing methods, not suited for storing passwords anymore.
	# Use crypt(), that adds random salt, customizable rounds and customizable hashing algorithms.
	if ($pwcrypt == 'sha1') {
		return sha1($password);
	} elseif ($pwcrypt == 'md5') {
		return md5($password);
	} elseif ($pwcrypt == 'sha512') {
		return hash('sha512', $password);
	} else {
		return crypt($password);
	}
  }

This should probably be updated to use the newer password_hash() and password_verify() functions that access much more robust and secure password encryption.

2330Flyspray - The bug killer!Backend/CoreBug ReportLowPHP Notice: Undefined offset: 0 in scripts/index.php o...UnconfirmedArthmoor23.01.2017
50%
4 Task Description

Pretty minor, but seems to show up regularly enough in our logs. The line in question:

$outfile = str_replace(' ', '_', $tasks[0]['project_title']).'_'.date("Y-m-d").'.csv';
 2329 Flyspray - The bug killer!Backend/CoreBug ReportMedium PHP Notice: Array to string conversion in includes/mod ...ClosedArthmoor23.01.2017
100%
1 Task Description

Just a minor thing, but it’s showing up regularly in the server logs. The code in the affected area is this:

	# FIXME what if we move to different project, but tag(s) is/are defined for the old project only (not global)?
	# FIXME what if we move to different project and tag input field is deactivated/not shown in edit task page?
	#   - Create new tag(s) in target project if user has permission to create new tags but what with the users who have not the permission?
	# update tags
        $tagList = explode(';', Post::val('tags'));  
        $tagList = array_map('strip_tags', $tagList);
        $tagList = array_map('trim', $tagList);
        $tagList = array_unique($tagList); # avoid duplicates for inputs like: "tag1;tag1" or "tag1; tag1<p></p>"
        $tags_changed = count(array_diff($task['tags'], $tagList)) + count(array_diff($tagList, $task['tags']));
2316Flyspray - The bug killer!Backend/CoreBug ReportLow"wrongtoken" is displayed if the comment box is left si...AssignedArthmoor22.11.2016
0%
71 Task Description

I understand this is likely due to some sort of XSS CSRF protection, but the delay doesn’t appear to be long enough to be useful for a lengthy comment to be posted. I’ve now lost two detailed comments in our tracker because the software threw everything out and generated a meaningless error.

Further, attempting to do the normal thing and making the browser resubmit the page results in Flyspray throwing “Error #3” something something repeated action and causing a redirect to the homepage.

Surely there has to be a better way to handle this that doesn’t incur data loss?

2315Flyspray - The bug killer!Backend/CoreBug ReportLowFiling a new task is possible with no details in the ma...UnconfirmedArthmoor21.11.2016
0%
Task Description

When filing a task, it’s possible to submit the task without any information at all being added to the main body of the ticket. This leads to reports that are of no value because the user can simply add some vague title, hit submit, and then wonder why nothing happens other than someone closing it later as invalid.

The main body of the ticket should be considered a required field and should throw an error if nothing is in the box.

 2314 Flyspray - The bug killer!Backend/CoreBug ReportHigh HTMLPurifier_Config error after installing 1.0rc4 ClosedArthmoor19.11.2016
100%
2 Task Description

Updated to the new security release today and anytime someone tries to add a comment, the following error is thrown:

Notice: Undefined variable: conf in /includes/class.backend.php on line 312 Fatal error: Class ‘HTMLPurifier_Config’ not found in /includes/class.backend.php on line 313

This is the offending code:

if($conf['general']['syntax_plugin'] != 'dokuwiki'){
	$purifierconfig = HTMLPurifier_Config::createDefault();
	$purifier = new HTMLPurifier($purifierconfig);
	$comment_text = $purifier-&gt;purify($comment_text);
}

After commenting this block of code out, comments can again be posted.

2309Flyspray - The bug killer!User InterfaceBug ReportLowPHP noticed displayed on default "All Projects" page.UnconfirmedArthmoor02.11.2016
0%
3 Task Description

I am seeing some noticed on the front page of our tracker install that were not present prior to updating to 1.0rc3.

Notice: Undefined offset: 1 in <redacted>/scripts/index.php on line 202 Notice: Undefined offset: 2 in <redacted>/scripts/index.php on line 202

It’s displaying the full path to the files on the page.

There are effectively 2 issues here. One is that some kind of error is kicking up. Second is that it’s being shown to anyone who visits the site.

2198Flyspray - The bug killer!User InterfaceBug ReportLowMulti-Select from tasklist offers options to those who ...UnconfirmedArthmoor22.08.2016
0%
11 Task Description

When viewing a project via the tasklist, there are a series of checkboxes available. If a user in a group with “modify own tasks” checks a box on a ticket - no matter who actually owns it - they are given a list of options to change it with.

This should not happen. The checkboxes should only be available from the tasklist if the user can actually edit the tickets they’d be next to.

//imgur.com/a/JwORB

Showing tasks 1 - 10 of 10 Page 1 of 1

Available keyboard shortcuts

Tasklist

Task Details

Task Editing