Mantis Bugtracker          
testlink.org

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0005317TestLink0 - User too Lazy to analize defined categoriespublic2012-10-31 02:292015-05-01 07:45
Reportersinohzxu 
Assigned Tofman 
PrioritylowSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version1.9.4 (2012 Q3 - bug fixing) 
Fixed in Version1.9.13 (2015 #1) 
Summary0005317: must login twice and logout before login.
Descriptionafter upgrade 1.9.4,when session timed out or forget logout,we must logout first and login again . it will display "Invalid security token" after first login.
Is it possible to be the same with 1.9.3? Don't need to login twice...
Steps To Reproduce1. login succesfully.
2. close the page without logout.
3. open login page
4. login
5. after showing "Invalid security token",login again.
TagsNo tags attached.
Database (MySQL,Postgres,etc)mysql
Browser
PHP Version
TestCaseID
QA Team - Task Workflow StatusTBD
Attached Files

- Relationships
child of 0004977closedkinow CSRF - Advisory ID: HTB23088 - Reference: https://www.htbridge.com/advisory/HTB23088 [^

-  Notes
(0017758)
fman (administrator)
2012-10-31 06:04

Reminder sent to: kinow

can you give a look or provide advice
(0017760)
kinow (reporter)
2012-10-31 12:30

Sure, I knew about this issue, and wanted to fix it before the next release :o) thanks.
(0017812)
sinohzxu (reporter)
2012-11-13 08:48

So when will be the next release?is it testlink2.0?
Look forward:)
(0017813)
kinow (reporter)
2012-11-13 09:16

Hi @sinohzxu, I believe it's still not 2.0, but the next version should be released within the next weeks ;-)

I have a patch, that changes the way TestLink protects users against CSRF. I have to commit this patch and test for a while.

The CSRF protection is the responsible for having you logging in twice.

I'm wondering if you would like to help me testing this patch :-)
(0017818)
sinohzxu (reporter)
2012-11-14 06:46

Waaa, Next version is coming out? happy to hear that.
Actually I have been developing 1.9.4 for other requirements, and each time patch comes out ,i would like very much to integrate my version with patches.
where could I get the patch? I 'd like to test it:)
(0017822)
kinow (reporter)
2012-11-15 00:31

>Actually I have been developing 1.9.4 for other requirements, and each time patch comes out ,i would like very much to integrate my version with patches.
where could I get the patch? I 'd like to test it:)

Yay! I'll post it here, or if it's too many files, I'll send you the link from gitorious.

Thanks much
(0017834)
kinow (reporter)
2012-11-17 05:29

Hi sinohzxu!

here it goes:

https://gitorious.org/testlink-ga/testlink-code/archive-tarball/testlink_1_9 [^]

Grab the latest tarball from Gitorious (you may be asked to create an account on Gitorious, not sure), install in a test database, and try reproducing the error.

Then, check config.inc.php. There's a new entry there.

Make sure that it's set to true, as demonstrated following.

$tlCfg->csrf_filter_enabled = TRUE;

Then test if you can reproduce the error. This error is being caused by a bogus CSRF (bad security breach) verification. In this tarball, we'd replaced this verification by another one from OWASP. It acts as a global filter, but you have to turn this filter on, using this flag.

Let me know if that works. Thanks!
(0017861)
sinohzxu (reporter)
2012-11-21 06:59
edited on: 2012-11-21 07:01

Sorry kinow, How to get the changelog of the code when you try to fix the issue?
like http://gitorious.org/testlink-ga/testlink-code/commit/213d524519e27ef94fcde1b66918feefcbf47404 [^]

It will be more convienient for us to test the code on our server since the code and db is different.

(0017862)
kinow (reporter)
2012-11-21 09:27

Hi sinohzxu,

There links to the commits can be found here http://mantis.testlink.org/view.php?id=4977, [^] in my last comment :)

Cheers
(0023221)
Mr.Bricodage (updater)
2015-04-26 16:57

linked with 0004977 that is Fixed in Version 1.9.7 (2013 Q2 - bug fixing)

- Issue History
Date Modified Username Field Change
2012-10-31 02:29 sinohzxu New Issue
2012-10-31 06:04 fman Note Added: 0017758
2012-10-31 06:05 fman Category 0 - Undefined => 0 - User too Lazy to analize defined categories
2012-10-31 12:30 kinow Note Added: 0017760
2012-10-31 12:44 kinow Assigned To => kinow
2012-10-31 12:44 kinow Status new => work in progress
2012-11-01 22:17 kinow Relationship added child of 0004977
2012-11-13 08:48 sinohzxu Note Added: 0017812
2012-11-13 09:16 kinow Note Added: 0017813
2012-11-14 06:46 sinohzxu Note Added: 0017818
2012-11-15 00:31 kinow Note Added: 0017822
2012-11-17 05:29 kinow Note Added: 0017834
2012-11-21 06:59 sinohzxu Note Added: 0017861
2012-11-21 07:01 sinohzxu Note Edited: 0017861 View Revisions
2012-11-21 09:27 kinow Note Added: 0017862
2015-04-26 16:57 Mr.Bricodage Note Added: 0023221
2015-04-26 16:57 Mr.Bricodage Relationship added child of 0007083
2015-05-01 07:45 fman Assigned To kinow => fman
2015-05-01 07:45 fman Status work in progress => new
2015-05-01 07:45 fman Status new => closed
2015-05-01 07:45 fman Resolution open => fixed
2015-05-01 07:45 fman Fixed in Version => 1.9.13 (2015 #1)
2015-05-03 15:25 Mr.Bricodage Relationship deleted child of 0007083



Copyright © 2000 - 2018 MantisBT Team
Powered by Mantis Bugtracker