View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0010966 | mantisbt | security | public | 2009-09-19 09:40 | 2016-10-12 06:36 |
Reporter | Danez | Assigned To | dregad | ||
Priority | high | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.0rc1 | ||||
Target Version | 1.2.18 | Fixed in Version | 1.2.18 | ||
Summary | 0010966: No Errors shown at all if error_reporting=0 configured at server | ||||
Description | If on the Server error_reporting=0 is configured, no errors at all (no EUSER* !!!!) are shown. if( 0 == error_reporting() ) { This 3 lines depend on the fact, that error_reporting for the system is set to E_ALL^E_NOTICE, but that's not so everywhere. Adding error_reporting(E_ALL^E_NOTICE) to the top of /core.php is very important. | ||||
Steps To Reproduce |
normally an error is displayed that name is empty, not if error_reporting=0 | ||||
Additional Information | I'm not on the latest git version, but as far as i can see in the code this is not fixed yet. | ||||
Tags | patch, security | ||||
has duplicate | 0013990 | closed | dregad | Vulnerability in verify.php in case of wrong php configuration |
related to | 0015524 | closed | dregad | Incorrect error_reporting value or setting in Apache skips required fields validation in Issue Report |
related to | 0016059 | closed | dregad | System should warn users when debug settings are enabled |
related to | 0016142 | closed | atrol | User registration accepts empty user name and/or email address |
related to | 0016208 | closed | dregad | Doesn`t ask for confirmation in POST request to create task |
related to | 0021795 | closed | dregad | E_USER_DEPRECATED is not detected if error_reporting=0 |
Does adding:
to config_inc.php resolve this issue? |
|
No, this has no effect. |
|
fixed there: |
|
I can see what the problem is now, but I'm not sure I agree with the patch. I think we should be reading the value of error_reporting() and then applying changes from the $g_display_errors setting on top of the PHP defaults. The patch here seems to force Mantis to trap all predefined PHP error constants with the exception of E_NOTICE as defined at http://www.php.net/manual/en/errorfunc.constants.php This completely ignores the values set in php.ini which seems wrong to me. I don't mind if Mantis can be configured to overrule the values in php.ini, as long as it is optional (and disabled by default). The exception is the EUSER* errors which are within Mantis' domain - these should be enabled all the time (ignoring php.ini) unless the user specifically disables them via $g_display_errors. Any thoughts on this? |
|
I committed a patch that adds all EUSER* errors to the error_reporting. |
|
FYI, fix available at https://github.com/dregad/mantisbt/commit/cec454931df5a99d03ff22aabf8901648ff3d549, testing & feedback welcome |
|
Background: we configure most of our production environments to error_reporting(0) and to make the practise consistent, we configured this for mantis as well. So we encountered this problem too. Test: I added your fix to our mantis environment and verified that validation result is now respected (i.e. that the trigger_error-call stops further execution of the flow). Feedback: none really, I like the fix. |
|
Thanks for testing ! |
|
Backported to 1.2.x branch as a security fix, as it was identified in 0013990 that in a system with error_reporting = 0, an attacker could gain unauthorized access to the system via verify.php page. We will not request a CVE for this, as MantisBT (before this fix) is basically not functioning in such a scenario, so it's highly unlikely that someone would run with this configuration for long. |
|
MantisBT: master-1.2.x ef3e1d48 2013-06-14 13:49 Details Diff |
Force reporting of E_USER_* in error api Solves the problem of Mantis silently proceeding through errors that should effectively stop code execution, when error_reporting is disabled in php.ini or apache mod config. This follows @davidhicks recommendation in comment 0010966:0022998. Fixes 0010966 Backported from master cec454931df5a99d03ff22aabf8901648ff3d549. |
Affected Issues 0010966 |
|
mod - core/error_api.php | Diff File | ||
MantisBT: master cec45493 2013-06-14 19:49 Details Diff |
Force reporting of E_USER_* in error api Solves the problem of Mantis silently proceeding through errors that should effectively stop code execution, when error_reporting is disabled in php.ini or apache mod config. This follows @davidhicks recommendation in comment 0010966:0022998. Fixes 0010966 |
Affected Issues 0010966 |
|
mod - core/error_api.php | Diff File | ||
MantisBT: master-1.3.x 4ee0da6e 2016-10-12 02:31 Details Diff |
Let Error API capture E_USER_DEPRECATED by default Following introduction of DEPRECATED error type in issue 0017837, it was omitted to add E_USER_DEPRECATED to the list of error types captured by default. This prevented handling when error_reporting=0. Follow-up on issue 0010966, cec454931df5a99d03ff22aabf8901648ff3d549 Fixes 0021795 |
Affected Issues 0010966, 0017837, 0021795 |
|
mod - core/error_api.php | Diff File |