View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0026636 | mantisbt | installation | public | 2020-01-28 16:22 | 2020-03-15 15:23 |
Reporter | Daltenburg | Assigned To | dregad | ||
Priority | high | Severity | block | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Target Version | 2.24.0 | Fixed in Version | 2.24.0 | ||
Summary | 0026636: Apostrophe in custom_field_string table causes upgrade from < 1.2.0 to fail | ||||
Description | Original summary: SQL Blocker in install (Updating From Extremely old Mantis Version) When attempting to update from Mantis 1.0.5 to Mantis 2.23.0, by navigating to /admin/install.php and clicking 'upgrade database'; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'instant)|' The issue is with this function in: mantisbt-2.23.0\core\install_helper_functions_api.php @ line 412 The lack of parameterized queries here probably constitutes a Security Vulnerability | ||||
Steps To Reproduce |
| ||||
Additional Information | I'm sorry it took me 15 years to update my Mantis Software. | ||||
Tags | No tags attached. | ||||
;-) Can you please test with updated code in PR https://github.com/mantisbt/mantisbt/pull/1618 and let me know if it fixes the problem. |
|
Fix Confirmed! . I Cloned your fork "dregad/mantisbt" and checked out to i26636-upgrade-apostrophe. Thanks for that outstandingly quick response. |
|
Thanks for the feedback, glad to hear that the problem is fixed. |
|
MantisBT: master 88cefc7d 2020-01-28 22:40 Details Diff |
Use query parameters in install helper function install_correct_multiselect_custom_fields_db_format() injected actual field values in the update SQL queries, which is a potential source for SQL injection, and causes the upgrade from MantisBT < 1.2.0 to fail when custom_field_table contains an apostrophe. Fixes 0026636 |
Affected Issues 0026636 |
|
mod - core/install_helper_functions_api.php | Diff File |