0017806: Upgrade your installation consistently failing - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0017806	mantisbt	installation	public	2014-10-26 00:28	2014-12-22 08:22

Reporter	syncguru	Assigned To	vboctor
Priority	high	Severity	block	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.3.0dev
Target Version	1.3.0-beta.1

Summary	0017806: Upgrade your installation consistently failing
Description	Trying to upgrade mantisbt demo database for v1.3 is consistently failing. The error is related to the call to unserialize() for both token and filters. Upon further investigation. It appears that there are two different format for serialized values in mantis_tokens_table & mantis_filters_table tables. One generated by php serialization and the other with json serialization. Deleting php-serialized entries in both tables fixed this issue. The sql queries I used are as follows: delete from mantis_tokens_table where value like '{%'; delete from mantis_filters_table where filter_string like 'v9#{%';
Steps To Reproduce	With existing database with v.1.2 schema: 1- Go to admin/inddex.php 2- You should see 'upgrade your installation' tab enabled and hilighted 3- Click on that tab will take you to admin/install.php 4- Click upgrade
Tags	No tags attached.

vboctor 2014-10-26 01:24 manager ~0041664	This is a real blocker for 1.3. There was already some regression and discussion about this. Original Work and Reasoning: https://github.com/mantisbt/mantisbt/pull/225/ Regression Bug:0017605 Regression Pull Request: https://github.com/mantisbt/mantisbt/pull/274 We should consider whether we want to fix this or revert the changes.

vboctor 2014-10-26 01:26 manager ~0041665	Reminder sent to: atrol, dregad, rombert @atrol, @dregad, @rombert - thoughts about fix vs. revert?

rombert 2014-10-27 04:16 reporter ~0041671	My opinion goes to revert, unless someone wants to take a stab at a real fix. IIUC the original reasoning was that 'php.net recommends JSON over PHP serialization'. Browsing through http://ro1.php.net/manual/en/function.unserialize.php and http://ro1.php.net/manual/en/function.serialize.php I found two arguments Performance - JSON encoding/decoding is faster Security - unserialiasing untrusted/unvalidated input is risky IMO none of the above apply to MantisBT so let's revert this change before it goes in a release.

dregad 2014-10-27 08:00 developer ~0041672	Performance - JSON encoding/decoding is faster Security - unserialiasing untrusted/unvalidated input is risky IMO none of the above apply to MantisBT so let's revert this change before it goes in a release. Actually, I beg to differ on 1 - I implemented a patch a while ago to fix bad performance on admin config page, which was due to (un)serializing data in systems with many configs (e.g. user-specific column preferences), see 0013680. Although this particular issue is now resolved, I still think it's worth switching to JSON. That being said, there is no critical need to have this change in 1.3.0, so I am not opposed to reverting on principle; on the other hand, considering that this required schema updates, a simple git revert would probably not be sufficient as we need to consider implications on the DB and ensure full backwards compatibility (including to installations made from 'master' and not an official release). For that reason, although I have not looked in details to be sure, it may be simpler and certainly safer to fix this rather than revert.

dregad 2014-10-27 08:18 developer ~0041675	I created 0017809 to track the original implementation of the feature.

vboctor 2014-10-31 00:11 manager ~0041718	Here is the pull request: https://github.com/mantisbt/mantisbt/pull/532

MantisBT: master d774b890 2014-10-30 19:58 vboctor Details Diff	Fix token upgrade error If a user is already logged in and visits a page, then it may create a token using the json encoding. Then user goes to upgrade the php unserialize() fails. Now we check in case of php unserialize() failure that the token isn't a valid json token before erroring out. Fixes 0017806		Affected Issues 0017806
	mod - core/install_helper_functions_api.php		Diff File
MantisBT: master b420f322 2014-10-30 20:03 vboctor Details Diff	Go to install after login if db upgrade required If admin checks are enabled and database upgrade is required then redirect to install page instead of the return or default pages. This will help direct the user towards upgrading rather than visiting normal pages and getting php errors. Fixes 0017806		Affected Issues 0017806
	mod - login.php		Diff File
	mod - login_page.php		Diff File
MantisBT: master b5b08678 2014-11-01 21:23 vboctor Details Diff	Merge pull request 0000532 from vboctor/Issue17806_UpgradeError Fixes 0017806: Upgrade your installation consistently failing The admin checks were mostly moved as is to the top of the page to use them to set a hidden field on the form. However, the warnings are displayed at the same location as before.		Affected Issues 0017806
	mod - core/install_helper_functions_api.php		Diff File
	mod - login.php		Diff File
	mod - login_page.php		Diff File