View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0026636||mantisbt||installation||public||2020-01-28 16:22||2020-03-15 15:23|
|Target Version||2.24.0||Fixed in Version||2.24.0|
|Summary||0026636: Apostrophe in custom_field_string table causes upgrade from < 1.2.0 to fail|
Original summary: SQL Blocker in install (Updating From Extremely old Mantis Version)
When attempting to update from Mantis 1.0.5 to Mantis 2.23.0, by navigating to /admin/install.php and clicking 'upgrade database';
check the manual that corresponds to your MariaDB server version for the right syntax to use near 'instant)|'
The issue is with this function in: mantisbt-2.23.0\core\install_helper_functions_api.php @ line 412
The lack of parameterized queries here probably constitutes a Security Vulnerability
|Steps To Reproduce|
I'm sorry it took me 15 years to update my Mantis Software.
|Tags||No tags attached.|
Can you please test with updated code in PR https://github.com/mantisbt/mantisbt/pull/1618 and let me know if it fixes the problem.
Fix Confirmed! .
I Cloned your fork "dregad/mantisbt" and checked out to i26636-upgrade-apostrophe.
Thanks for that outstandingly quick response.
Thanks for the feedback, glad to hear that the problem is fixed.
MantisBT: master 88cefc7d
2020-01-29 03:40:03Details Diff
|Use query parameters in install helper function
install_correct_multiselect_custom_fields_db_format() injected actual
field values in the update SQL queries, which is a potential source for
SQL injection, and causes the upgrade from MantisBT < 1.2.0 to fail when
custom_field_table contains an apostrophe.
|mod - core/install_helper_functions_api.php||Diff File|