View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0026798 | mantisbt | administration | public | 2020-03-19 12:26 | 2021-03-07 18:30 |
Reporter | atrol | Assigned To | dregad | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Target Version | 2.25.0 | Fixed in Version | 2.25.0 | ||
Summary | 0026798: PHP warning in config_get_global | ||||
Description | In some cases config_get_global gives ERROR_CONFIG_OPT_NOT_FOUND warning
This is WAD at the moment and happens for any string configuration option where function config_eval is not able to reference a variable.
In typical use cases there is no problem, but the approach itself is not clean and can lead to real life issues, e.g this post in forum Most of the time there is just the warning without any visible side effect, e.g. set
but there are also strange restrictions because of this, e.g. you can't set something like
| ||||
Tags | No tags attached. | ||||
related to | 0021604 | new | Discuss recursive configuration options |
Options to fix
Comments welcome |
|
Not sure if you are aware that since 1.2.0rc1, as a workaround |
|
While it is true that there are a few config options such as A simple check in config_eval(), making sure that the matched value is an existing global variable would probably do the trick (except for an improbable scenario where An alternative would be to define a global variable, whitelisting all the configs that should never be eval'ed, similar to $g_public_config_names, e.g.
Then a simple in_array() lookup in config_eval() could skip the preg_match and replacement loop for those configs. Of course we could also consider reversing the logic, i.e. implement this array as a list of configs where eval is allowed; I guess this would be closer to your intention of removing config_eval() (0021604), which I'm not convinced is something we should do. EDIT: submitted the note by mistake, before I was done typing... |
|
PR https://github.com/mantisbt/mantisbt/pull/1635 implements the simple sanity check I mentioned in 0026798:0063783, which resolves the issue described here. @atrol let me know if you feel it's worth pursuing the whitelist config option alternative, in that case it should probably be tracked separately. |
|
Thanks for the hint, I wasn't aware of that
Sounds good as it fixes > 99,99% of real use cases, but complicates the rule when you have to use the escape workaround and when it works without escaping.
Not as an alternative, but an additional functionality.
I still think that removing wouldn't be that bad. |
|
MantisBT: master 7fffd663 2020-03-21 09:02 Details Diff |
Fix warning in config_get_global() When config_eval() references an unknown config option, the code throws an ERROR_CONFIG_OPT_NOT_FOUND warning. To avoid this unwanted behavior, we now check that the config option to replace actually exists before calling config_get()/config_get_global(). If not, the variable will be left as-is in the returned value. Fixes 0026798 |
Affected Issues 0026798 |
|
mod - core/config_api.php | Diff File | ||
MantisBT: master c2d6c3dd 2020-03-28 08:51 Details Diff |
Fix warning and code cleanup in config_eval() Issue 0026798 PR https://github.com/mantisbt/mantisbt/pull/1635 |
Affected Issues 0026798 |
|
mod - core/config_api.php | Diff File |