View Issue Details

IDProjectCategoryView StatusLast Update
0026636mantisbtinstallationpublic2020-03-15 15:23
ReporterDaltenburg Assigned Todregad  
PriorityhighSeverityblockReproducibilityalways
Status closedResolutionfixed 
Target Version2.24.0Fixed in Version2.24.0 
Summary0026636: Apostrophe in custom_field_string table causes upgrade from < 1.2.0 to fail
Description

Original summary: SQL Blocker in install (Updating From Extremely old Mantis Version)

When attempting to update from Mantis 1.0.5 to Mantis 2.23.0, by navigating to /admin/install.php and clicking 'upgrade database';
When the mantis_custom_field_string_table.values column contains an apostrophe/singlequote (') the process fails with:

check the manual that corresponds to your MariaDB server version for the right syntax to use near 'instant)|'
WHERE field_id = 5
AND bug_id = 1610' at line 2 for the query: UPDATE mantis_custom_field_string_table
SET value = '|E (pour l'instant)|'
WHERE field_id = 5
AND bug_id = 1610.

The issue is with this function in: mantisbt-2.23.0\core\install_helper_functions_api.php @ line 412

The lack of parameterized queries here probably constitutes a Security Vulnerability
Albeit a very low severity one

Steps To Reproduce
  1. Install/Configure Mantis BT 1.0.3
  2. Enter some information in the custom_field_string database table that contains an apostrophe (single quote) [like, "|E (pour l'instant)|"]
  3. Follow the steps in Mantis Upgrade guide (saving configs, etc)
  4. Navigate to /admin/install.php and attempt to upgrade
Additional Information

I'm sorry it took me 15 years to update my Mantis Software.

TagsNo tags attached.

Activities

dregad

dregad

2020-01-29 03:42

developer   ~0063530

I'm sorry it took me 15 years to update my Mantis Software.

;-)

Can you please test with updated code in PR https://github.com/mantisbt/mantisbt/pull/1618 and let me know if it fixes the problem.

Daltenburg

Daltenburg

2020-01-29 09:14

reporter   ~0063532

Fix Confirmed! .

I Cloned your fork "dregad/mantisbt" and checked out to i26636-upgrade-apostrophe.
Then retested and got passed the blocker!

Thanks for that outstandingly quick response.

confirmfix-26636.jpg (167,716 bytes)   
confirmfix-26636.jpg (167,716 bytes)   
dregad

dregad

2020-01-29 09:32

developer   ~0063534

Thanks for the feedback, glad to hear that the problem is fixed.

Related Changesets

MantisBT: master 88cefc7d

2020-01-28 22:40

dregad


Details Diff
Use query parameters in install helper function

install_correct_multiselect_custom_fields_db_format() injected actual
field values in the update SQL queries, which is a potential source for
SQL injection, and causes the upgrade from MantisBT < 1.2.0 to fail when
custom_field_table contains an apostrophe.

Fixes 0026636
Affected Issues
0026636
mod - core/install_helper_functions_api.php Diff File