View Issue Details

IDProjectCategoryView StatusLast Update
0026541mantisbtapi restpublic2020-03-15 15:23
Reportermnewnham Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version2.22.1 
Target Version2.24.0Fixed in Version2.24.0 
Summary0026541: Passing invalid id to rest api custom field update causes program crash
Description

A trivial update to a custom field, with an invalid custom field id causes the following untrapped error (reported in Apache log):

PHP Fatal error: 1300 in /home/mantisbt/mantisbt-2.22.1/core/custom_field_api.php on line 392

This is in the code

function custom_field_ensure_exists( $p_field_id ) {
if( custom_field_exists( $p_field_id ) ) {
return true;
} else {
error_parameters( 'Custom ' . $p_field_id );
trigger_error( ERROR_CUSTOM_FIELD_NOT_FOUND, ERROR ); <-------------------- line 392
}
}

Steps To Reproduce

Create a simple API update

$c = new stdClass;
$c->id = $id;
$c->custom_fields = array(
array(
'field'=>array('id'=>999), //Not a valid ID
'value'=>123
)
);

$jsonData = json_encode($c);

//-------------> PUSH TO API

TagsNo tags attached.

Relationships

related to 0026540 closeddregad Passing unsanitized data to type hinted function causes program crash 
related to 0026542 closeddregad Passing out of range custom field id causes multiple PHP warnings / incorrect response 

Activities

Related Changesets

MantisBT: master b01b6779

2020-02-02 16:22:27

dregad

Details Diff
Get & validate custom field using standard API

Use mci_get_custom_field_id_from_objectref() to retrieve the custom
field's id.

Throw exceptions if
- the returned Id == 0 (invalid field)
- the field is not linked to the current project

Fixes 0026541
Affected Issues
0026541
mod - api/soap/mc_project_api.php Diff File

Issue History

Date Modified Username Field Change
2019-12-30 12:38 mnewnham New Issue
2020-02-02 16:41 dregad Status new => assigned
2020-02-02 16:41 dregad Assigned To => dregad
2020-02-02 16:46 dregad Relationship added related to 0026540
2020-02-02 16:46 dregad Relationship added related to 0026542
2020-02-02 17:00 dregad Note Added: 0063555
2020-02-02 17:00 dregad Target Version => 2.24.0
2020-02-17 04:46 dregad Changeset attached => MantisBT master b01b6779
2020-02-17 04:46 dregad Status assigned => resolved
2020-02-17 04:46 dregad Resolution open => fixed
2020-02-17 04:46 dregad Fixed in Version => 2.24.0
2020-03-15 15:23 vboctor Status resolved => closed