0026541: Passing invalid id to rest api custom field update causes program crash - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0026541	mantisbt	api rest	public	2019-12-30 12:38	2020-03-15 15:23

Reporter	mnewnham	Assigned To	dregad
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	2.22.1
Target Version	2.24.0	Fixed in Version	2.24.0

Summary	0026541: Passing invalid id to rest api custom field update causes program crash
Description	A trivial update to a custom field, with an invalid custom field id causes the following untrapped error (reported in Apache log): PHP Fatal error: 1300 in /home/mantisbt/mantisbt-2.22.1/core/custom_field_api.php on line 392 This is in the code function custom_field_ensure_exists( $p_field_id ) { if( custom_field_exists( $p_field_id ) ) { return true; } else { error_parameters( 'Custom ' . $p_field_id ); trigger_error( ERROR_CUSTOM_FIELD_NOT_FOUND, ERROR ); <-------------------- line 392 } }
Steps To Reproduce	Create a simple API update $c = new stdClass; $c->id = $id; $c->custom_fields = array( array( 'field'=>array('id'=>999), //Not a valid ID 'value'=>123 ) ); $jsonData = json_encode($c); //-------------> PUSH TO API
Tags	No tags attached.

MantisBT: master b01b6779 2020-02-02 11:22 dregad Details Diff	Get & validate custom field using standard API Use mci_get_custom_field_id_from_objectref() to retrieve the custom field's id. Throw exceptions if - the returned Id == 0 (invalid field) - the field is not linked to the current project Fixes 0026541		Affected Issues 0026541
	mod - api/soap/mc_project_api.php		Diff File

related to	0026540	closed	dregad	Passing unsanitized data to type hinted function causes program crash
related to	0026542	closed	dregad	Passing out of range custom field id causes multiple PHP warnings / incorrect response

dregad 2020-02-02 17:00 developer ~0063555	PR https://github.com/mantisbt/mantisbt/pull/1622