0010966: No Errors shown at all if error_reporting=0 configured at server - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0010966	mantisbt	security	public	2009-09-19 09:40	2016-10-12 06:36

Reporter	Danez	Assigned To	dregad
Priority	high	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.2.0rc1
Target Version	1.2.18	Fixed in Version	1.2.18

Summary	0010966: No Errors shown at all if error_reporting=0 configured at server
Description	If on the Server error_reporting=0 is configured, no errors at all (no EUSER* !!!!) are shown. That's because of this 3 lines in the error_handler: if( 0 == error_reporting() ) { return; } This 3 lines depend on the fact, that error_reporting for the system is set to E_ALL^E_NOTICE, but that's not so everywhere. Adding error_reporting(E_ALL^E_NOTICE) to the top of /core.php is very important.
Steps To Reproduce	set error_reporting in php.ini to 0 restart web server goto Manage->Custom Fields Add a Custom Field without a name normally an error is displayed that name is empty, not if error_reporting=0
Additional Information	I'm not on the latest git version, but as far as i can see in the code this is not fixed yet.
Tags	patch, security

has duplicate	0013990	closed	dregad	Vulnerability in verify.php in case of wrong php configuration
related to	0015524	closed	dregad	Incorrect error_reporting value or setting in Apache skips required fields validation in Issue Report
related to	0016059	closed	dregad	System should warn users when debug settings are enabled
related to	0016142	closed	atrol	User registration accepts empty user name and/or email address
related to	0016208	closed	dregad	Doesn`t ask for confirmation in POST request to create task
related to	0021795	closed	dregad	E_USER_DEPRECATED is not detected if error_reporting=0

dhx 2009-09-19 10:44 reporter ~0022973	Does adding: `$g_show_detailed_errors = ON; $g_display_errors = array(E_WARNING => 'halt', E_NOTICE => 'halt', E_USER_ERROR => 'halt', E_USER_WARNING => 'halt', E_USER_NOTICE => 'halt');` to config_inc.php resolve this issue?

Danez 2009-09-19 11:07 reporter ~0022977	No, this has no effect.

Danez 2009-09-20 07:35 reporter ~0022986	fixed there: http://git.mantisforge.org/w/mantisbt/dtschinder.git?a=commit;h=d62133529ead678d31528e965614461b92d12561

dhx 2009-09-21 22:25 reporter ~0022998	I can see what the problem is now, but I'm not sure I agree with the patch. I think we should be reading the value of error_reporting() and then applying changes from the $g_display_errors setting on top of the PHP defaults. The patch here seems to force Mantis to trap all predefined PHP error constants with the exception of E_NOTICE as defined at http://www.php.net/manual/en/errorfunc.constants.php This completely ignores the values set in php.ini which seems wrong to me. I don't mind if Mantis can be configured to overrule the values in php.ini, as long as it is optional (and disabled by default). The exception is the EUSER* errors which are within Mantis' domain - these should be enabled all the time (ignoring php.ini) unless the user specifically disables them via $g_display_errors. Any thoughts on this?

Danez 2009-09-27 11:11 reporter ~0023036 Last edited: 2009-09-27 20:55	I committed a patch that adds all EUSER* errors to the error_reporting. This only adds these errors and leaves all other errors (E_WARNING,E_NOTICE,...) as they are. http://git.mantisforge.org/w/mantisbt/dtschinder.git?a=commit;h=d30ac1919391577e35301b2a6824dd5ecea8d2de

dregad 2013-07-23 17:50 developer ~0037522	FYI, fix available at https://github.com/dregad/mantisbt/commit/cec454931df5a99d03ff22aabf8901648ff3d549, testing & feedback welcome

jehannes 2013-09-25 09:54 reporter ~0038111	Background: we configure most of our production environments to error_reporting(0) and to make the practise consistent, we configured this for mantis as well. So we encountered this problem too. Test: I added your fix to our mantis environment and verified that validation result is now respected (i.e. that the trigger_error-call stops further execution of the flow). Feedback: none really, I like the fix.

dregad 2013-09-25 12:25 developer ~0038112	Thanks for testing !

dregad 2014-11-15 08:26 developer ~0041855	Backported to 1.2.x branch as a security fix, as it was identified in 0013990 that in a system with error_reporting = 0, an attacker could gain unauthorized access to the system via verify.php page. We will not request a CVE for this, as MantisBT (before this fix) is basically not functioning in such a scenario, so it's highly unlikely that someone would run with this configuration for long.

MantisBT: master-1.2.x ef3e1d48 2013-06-14 13:49 dregad Details Diff	Force reporting of E_USER_* in error api Solves the problem of Mantis silently proceeding through errors that should effectively stop code execution, when error_reporting is disabled in php.ini or apache mod config. This follows @davidhicks recommendation in comment 0010966:0022998. Fixes 0010966 Backported from master cec454931df5a99d03ff22aabf8901648ff3d549.		Affected Issues 0010966
	mod - core/error_api.php		Diff File
MantisBT: master cec45493 2013-06-14 19:49 dregad Details Diff	Force reporting of E_USER_* in error api Solves the problem of Mantis silently proceeding through errors that should effectively stop code execution, when error_reporting is disabled in php.ini or apache mod config. This follows @davidhicks recommendation in comment 0010966:0022998. Fixes 0010966		Affected Issues 0010966
	mod - core/error_api.php		Diff File
MantisBT: master-1.3.x 4ee0da6e 2016-10-12 02:31 dregad Details Diff	Let Error API capture E_USER_DEPRECATED by default Following introduction of DEPRECATED error type in issue 0017837, it was omitted to add E_USER_DEPRECATED to the list of error types captured by default. This prevented handling when error_reporting=0. Follow-up on issue 0010966, cec454931df5a99d03ff22aabf8901648ff3d549 Fixes 0021795		Affected Issues 0010966, 0017837, 0021795
	mod - core/error_api.php		Diff File