0037133: The buttons on the “Access Denied” widget may contain incorrect links

ID	Project	Category	View Status	Date Submitted	Last Update
0037133	mantisbt	ui	public	2026-05-15 11:07	2026-05-16 13:29

Reporter	raspopov	Assigned To	community
Priority	normal	Severity	minor	Reproducibility	always
Status	assigned	Resolution	open
Product Version	2.28.3
Target Version	2.29.0

Summary	0037133: The buttons on the “Access Denied” widget may contain incorrect links
Description	For example, the “/admin/login_page.php?return=admin%2Findex.php” is converted to “admin/login_page.php?return=admin%2Findex.php” for "Login" button.
Steps To Reproduce	The following conditions must be met: MantisBT must be located in the root directory of the site, i.e., `$g_short_path = '/'`. The page displaying the “Access Denied” widget must be located in a subdirectory, such as “/admin/”, and require administrator privileges. The user must not be logged in. Anonymous user logins must be enabled (`$g_allow_anonymous_login = ON`) so that the “Access Denied” widget is displayed when an access error occurs, rather than a redirect.
Additional Information	This happens because the root “/” is stripped from relative URLs in the `string_sanitize_url()` function, which prepares the links for the widget buttons. In our case, when the following line is executed: `return ( !empty( $t_script_path ) ? $t_script_path . '/' : '' ) . $t_script . $t_query . $t_anchor;` the variables $t_script_path and $t_script now contain empty strings, and the root “/” is not restored.
Tags	No tags attached.

raspopov 2026-05-15 11:14 reporter ~0071115	PR: https://github.com/mantisbt/mantisbt/pull/2222

raspopov 2026-05-15 11:19 reporter ~0071116	For example, the “/admin/login_page.php?return=admin%2Findex.php” is converted to “admin/login_page.php?return=admin%2Findex.php” for "Login" button. Oops, I meant that the link for the button should be “/login_page.php?return=admin%2Findex.php”, but because the “/” is missing, it turns into “login_page.php?return=admin%2Findex.php” and since the button is on the “/admin/” page, the full path becomes “/admin/login_page.php?return=admin%2Findex.php”.

dregad 2026-05-16 13:08 developer ~0071120	Nice catch, thanks @raspopov. MantisBT must be located in the root directory of the site, i.e., $g_short_path = '/'. Just checking - are you actually setting $g_short_path (because normally you should not), or just stating that it holds `/` as set by core.php ?

raspopov 2026-05-16 13:29 reporter ~0071121	By core.php, automatically.