View Issue Details

IDProjectCategoryView StatusLast Update
0028803mantisbtcustom fieldspublic2021-06-17 12:40
Reporterfxm Assigned Todregad  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Target Version2.25.2Fixed in Version2.25.2 
Summary0028803: PHP 8: "Bad Request" error on custom field filters
Description

Since update from PHP 7 to PHP 8, a "bad request" message is displayed in filter for custom fields.

Additional Information

PHP 8 is mandatory due to security issues in PHP 7.

TagsPHP 8

Activities

fxm

fxm

2021-06-15 03:21

reporter  

BadRequest Mantis.PNG (16,095 bytes)   
BadRequest Mantis.PNG (16,095 bytes)   
atrol

atrol

2021-06-15 06:00

developer   ~0065622

PHP 8 is mandatory due to security issues in PHP 7.

I would expect that PHP 7.3 and 7.4 do still get security fixes.
https://www.php.net/supported-versions.php

fxm

fxm

2021-06-15 08:32

reporter   ~0065623

Last edited: 2021-06-15 10:23

Hi @atrol

After discussion with my security officer, I downgrade PHP version from 8.0.4 to 7.4.20 and issue is solved.

It can be set in a lower priority.

dregad

dregad

2021-06-15 10:57

developer   ~0065624

Always the same issue with security guys... ;-)

Do you have arguments to use last 7 version in place of 8 ?

What about

  • MantisBT has a known bug with PHP 8.0.7 version so we can't use that until it gets fixed, and
  • PHP 7.4 is fully supported and get sall security updates as per the link provided earlier

@atrol as you have confirmed the issue, I assume you were able to replicate it (I didn't try myself), can you provide steps to reproduce ? Or or @fxm details information about your Environment and Test case custom fields definition.

atrol

atrol

2021-06-15 11:23

developer   ~0065625

IIRC I found the same issue some weeks ago using PHP 8.0.3 on a Windows XAMPP environment.
Creating a custom field (any type) and trying to filter by the field should be enough to reproduce the issue.

dregad

dregad

2021-06-15 18:17

developer   ~0065630

OK I can reproduce it. So the AJAX fails in return_dynamic_filters.php at line 91:

$t_content = @call_user_func_array( 'filter_form_get_input', array( $t_filter, $filter_target, true ) );

filter_form_get_input() call fails (i.e. function throws ERROR_FILTER_NOT_FOUND error, but due to change in @ operator behavior in which no longer silences fatal errors on PHP 8 [1], the error is not caught as it was on earlier versions.

dregad

dregad

2021-06-15 19:33

developer   ~0065631

PR https://github.com/mantisbt/mantisbt/pull/1757

Related Changesets

MantisBT: master-2.25 c56be779

2021-06-15 19:21:06

dregad

Details Diff
filter_form_get_input() now throws StateException

Previously the function called trigger_error() and returned false to
handle usage of @ operator by caller. This no longer works on PHP 8, so
we now throw an exception instead.

Issue 0028803
Affected Issues
0028803
mod - core/filter_form_api.php Diff File

MantisBT: master-2.25 8bece942

2021-06-15 19:27:12

dregad

Details Diff
Remove usage of @ operator

Replace with try/catch block.

Fixes 0028803
Affected Issues
0028803
mod - return_dynamic_filters.php Diff File