View Issue Details

IDProjectCategoryView StatusLast Update
0026541mantisbtapi restpublic2020-03-15 15:23
Reportermnewnham Assigned Todregad  
Status closedResolutionfixed 
Product Version2.22.1 
Target Version2.24.0Fixed in Version2.24.0 
Summary0026541: Passing invalid id to rest api custom field update causes program crash

A trivial update to a custom field, with an invalid custom field id causes the following untrapped error (reported in Apache log):

PHP Fatal error: 1300 in /home/mantisbt/mantisbt-2.22.1/core/custom_field_api.php on line 392

This is in the code

function custom_field_ensure_exists( $p_field_id ) {
if( custom_field_exists( $p_field_id ) ) {
return true;
} else {
error_parameters( 'Custom ' . $p_field_id );
trigger_error( ERROR_CUSTOM_FIELD_NOT_FOUND, ERROR ); <-------------------- line 392

Steps To Reproduce

Create a simple API update

$c = new stdClass;
$c->id = $id;
$c->custom_fields = array(
'field'=>array('id'=>999), //Not a valid ID

$jsonData = json_encode($c);

//-------------> PUSH TO API

TagsNo tags attached.


related to 0026540 closeddregad Passing unsanitized data to type hinted function causes program crash 
related to 0026542 closeddregad Passing out of range custom field id causes multiple PHP warnings / incorrect response 


Related Changesets

MantisBT: master b01b6779

2020-02-02 16:22:27


Details Diff
Get & validate custom field using standard API

Use mci_get_custom_field_id_from_objectref() to retrieve the custom
field's id.

Throw exceptions if
- the returned Id == 0 (invalid field)
- the field is not linked to the current project

Fixes 0026541
Affected Issues
mod - api/soap/mc_project_api.php Diff File