View Issue Details

IDProjectCategoryView StatusLast Update
0024089mantisbtauthenticationpublic2018-03-31 19:58
ReporteromerfirmakAssigned Toatrol 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version2.12.0 
Target Version2.13.0Fixed in Version2.13.0 
Summary0024089: POST request to login_password_page.php return 405 when admin folder is deleted or access restricted
Description

Hi,

So when I delete or chmod 000 admin folder, POST request to login_password_page.php returns 405.

TagsNo tags attached.

Relationships

related to 0023476 closedatrol Can't login if admin directory has restricted access 

Activities

dregad

dregad

2018-03-08 11:37

developer   ~0059120

Can you clarify what POST request you are talking about ? Please provide detailed steps to reproduce the error.

omerfirmak

omerfirmak

2018-03-08 12:14

reporter   ~0059121

Sorry for that, attached file should be enough i guess.
Error only occurs when I "chmod 000" the admin folder. If I delete or rename it, looks like it works fine.



mantis405.json (4,176 bytes)
atrol

atrol

2018-03-08 13:35

developer   ~0059124

Last edited: 2018-03-08 13:36

View 2 revisions

I am wondering if we can remove all that checks

$t_upgrade_required = false;
if( config_get_global( 'admin_checks' ) == ON && file_exists( dirname( __FILE__ ) .'/admin' ) ) {
    # since admin directory and db_upgrade lists are available check for missing db upgrades
    # if db version is 0, we do not have a valid database.
    $t_db_version = config_get( 'database_version', 0 );
    if( $t_db_version == 0 ) {
        $t_warnings[] = lang_get( 'error_database_no_schema_version' );
    }

    # Check for db upgrade for versions > 1.0.0 using new installer and schema
    require_once( 'admin' . DIRECTORY_SEPARATOR . 'schema.php' );
    $t_upgrades_reqd = count( $g_upgrade ) - 1;

    if( ( 0 < $t_db_version ) &&
            ( $t_db_version != $t_upgrades_reqd ) ) {

        if( $t_db_version < $t_upgrades_reqd ) {
            $t_upgrade_required = true;
        }
    }
}

from login_password_page.php as we check already in login_page.php

atrol

atrol

2018-03-08 14:32

developer   ~0059125

I wondered why it worked on page login_page.php but not login_password_page.php.
It's because we check for /admin/. in login_page.php but /admin in login_password_page.php

The checks can't be removed at the moment, as it's needed to populate hidden field install so that login.php executes admin/install.php if there is an outdated database schema.

atrol

atrol

2018-03-08 14:33

developer   ~0059126

PR https://github.com/mantisbt/mantisbt/pull/1314

Related Changesets

MantisBT: master 9debbfb5

2018-03-08 14:24:08

atrol


Committer: vboctor Details Diff
Correct access check for admin folder

Fixes 0024089
Fixes 0023476
Affected Issues
0023476, 0024089
mod - login_password_page.php Diff File

Issue History

Date Modified Username Field Change
2018-03-08 11:24 omerfirmak New Issue
2018-03-08 11:37 dregad Status new => feedback
2018-03-08 11:37 dregad Note Added: 0059120
2018-03-08 12:14 omerfirmak File Added: mantis405.json
2018-03-08 12:14 omerfirmak Note Added: 0059121
2018-03-08 12:14 omerfirmak Status feedback => new
2018-03-08 13:31 atrol Relationship added related to 0023476
2018-03-08 13:35 atrol Note Added: 0059124
2018-03-08 13:36 atrol Note Edited: 0059124 View Revisions
2018-03-08 14:10 atrol Assigned To => atrol
2018-03-08 14:10 atrol Status new => assigned
2018-03-08 14:32 atrol Note Added: 0059125
2018-03-08 14:33 atrol Note Added: 0059126
2018-03-08 14:58 atrol Target Version => 2.13.0
2018-03-13 03:17 vboctor Changeset attached => MantisBT master 9debbfb5
2018-03-13 03:17 atrol Status assigned => resolved
2018-03-13 03:17 atrol Resolution open => fixed
2018-03-13 03:17 atrol Fixed in Version => 2.13.0
2018-03-31 19:58 vboctor Status resolved => closed