View Issue Details

IDProjectCategoryView StatusLast Update
0026636mantisbtinstallationpublic2020-03-15 15:23
ReporterDaltenburg Assigned Todregad  
Status closedResolutionfixed 
Target Version2.24.0Fixed in Version2.24.0 
Summary0026636: Apostrophe in custom_field_string table causes upgrade from < 1.2.0 to fail

Original summary: SQL Blocker in install (Updating From Extremely old Mantis Version)

When attempting to update from Mantis 1.0.5 to Mantis 2.23.0, by navigating to /admin/install.php and clicking 'upgrade database';
When the mantis_custom_field_string_table.values column contains an apostrophe/singlequote (') the process fails with:

check the manual that corresponds to your MariaDB server version for the right syntax to use near 'instant)|'
WHERE field_id = 5
AND bug_id = 1610' at line 2 for the query: UPDATE mantis_custom_field_string_table
SET value = '|E (pour l'instant)|'
WHERE field_id = 5
AND bug_id = 1610.

The issue is with this function in: mantisbt-2.23.0\core\install_helper_functions_api.php @ line 412

The lack of parameterized queries here probably constitutes a Security Vulnerability
Albeit a very low severity one

Steps To Reproduce
  1. Install/Configure Mantis BT 1.0.3
  2. Enter some information in the custom_field_string database table that contains an apostrophe (single quote) [like, "|E (pour l'instant)|"]
  3. Follow the steps in Mantis Upgrade guide (saving configs, etc)
  4. Navigate to /admin/install.php and attempt to upgrade
Additional Information

I'm sorry it took me 15 years to update my Mantis Software.

TagsNo tags attached.




2020-01-29 03:42

developer   ~0063530

I'm sorry it took me 15 years to update my Mantis Software.


Can you please test with updated code in PR and let me know if it fixes the problem.



2020-01-29 09:14

reporter   ~0063532

Fix Confirmed! .

I Cloned your fork "dregad/mantisbt" and checked out to i26636-upgrade-apostrophe.
Then retested and got passed the blocker!

Thanks for that outstandingly quick response.

confirmfix-26636.jpg (167,716 bytes)   
confirmfix-26636.jpg (167,716 bytes)   


2020-01-29 09:32

developer   ~0063534

Thanks for the feedback, glad to hear that the problem is fixed.

Related Changesets

MantisBT: master 88cefc7d

2020-01-29 03:40:03


Details Diff
Use query parameters in install helper function

install_correct_multiselect_custom_fields_db_format() injected actual
field values in the update SQL queries, which is a potential source for
SQL injection, and causes the upgrade from MantisBT < 1.2.0 to fail when
custom_field_table contains an apostrophe.

Fixes 0026636
Affected Issues
mod - core/install_helper_functions_api.php Diff File