View Issue Details

IDProjectCategoryView StatusLast Update
0026142mantisbtplug-inspublic2023-04-16 08:02
Reporterdregad Assigned Todregad  
PrioritynormalSeverityfeatureReproducibilityN/A
Status closedResolutionfixed 
Target Version2.25.0Fixed in Version2.25.0 
Summary0026142: Improve handling of invalid / incorrectly installed plugins
Description

When installing plugins in a MantisBT instance, or when moving / upgrading MantisBT there are several things that can go wrong

  • The case of the directory in which the plugin is installed does not exactly match the plugin's name
  • A registered plugin is no longer present on disk
  • The plugin code could be invalid
  • etc.

Currently, some of these scenarios are not detected by Core, making it difficult for the administrator to figure out what is wrong (or that something is wrong to begin with).

If there are any invalid plugins, the Manage Plugins page should detect them and present the administrator with a list, allowing them to fix the problem.

TagsNo tags attached.

Relationships

parent of 0017487 closeddregad Validate plugin folder name and name match during setup 
parent of 0026143 closeddregad Admin checks should detect invalid / incorrectly installed plugins 
related to 0029688 closeddregad CVE-2022-26144: XSS in manage_plugin_page.php and manage_plugin_uninstall.php 

Activities

dregad

dregad

2019-09-15 15:07

developer   ~0062808

Last edited: 2019-09-15 15:10

Consider the following scenario: a MantisBT instance with a successfully installed 3rd party plugin (e.g. Announce).

  • Migrate MantisBT to a new location (fresh install, copying the database -> the plugin was not migrated)
  • Install a new plugin (e.g. Snippets), but create the directory with wrong case (snippets)
  • For the sake of testing, throw in a couple of invalid plugins (with undefined name / version properties in the plugin's base class)

Contents of plugin directory:

$ ls -1 plugins
Gravatar
MantisCoreFormatting
MantisGraph
snippets
TestInvalidNoName
TestInvalidNoVersion
Web.config
XmlImportExport

Contents of _mantis_plugintable:

mysql> select * from mantis_plugin_table;
+----------------------+---------+-----------+----------+
| basename             | enabled | protected | priority |
+----------------------+---------+-----------+----------+
| MantisCoreFormatting |       1 |         0 |        3 |
| Gravatar             |       1 |         0 |        3 |
| Announce             |       1 |         0 |        3 |
+----------------------+---------+-----------+----------+
3 rows in set (0.00 sec)

None of these errors are visible on the GUI (except for possibly missing menu items, etc. as the plugins are not registered) as shown on the screenshot below.

dregad

dregad

2019-09-15 15:38

developer   ~0062809

Last edited: 2019-09-15 15:44

PR https://github.com/mantisbt/mantisbt/pull/1565

See attached screenshots showing how the test scenario looks like with the new code, in

  • Manage Plugins Page
  • Admin Checks

Note that if there are no invalid or missing plugins, the section is not displayed.

new_admin_checks.png (39,421 bytes)   
new_admin_checks.png (39,421 bytes)   
dregad

dregad

2019-09-15 15:42

developer   ~0062810

For the record, here are the 2 dummy invalid plugins I used for testing.

Related Changesets

MantisBT: master 11a6d0de

2021-01-16 04:43

dregad


Details Diff
Improve handling of invalid plugins

When installing plugins in a MantisBT instance, or when moving /
upgrading MantisBT there are several things that can go wrong:

- The case of the directory in which the plugin is installed does not
exactly match the plugin's name
- A registered plugin is no longer present on disk
- The plugin code could be invalid
- etc.

This feature branch adds an "Invalid plugins" section on Manage Plugins
page, allowing the Administrator to identify issues and eventually fix
them.

Fixes 0026142, PR https://github.com/mantisbt/mantisbt/pull/1565
Affected Issues
0026142
add - admin/check/check_plugins_inc.php Diff File
mod - admin/check/index.php Diff File
add - core/classes/InvalidDefinitionPlugin.class.php Diff File
add - core/classes/InvalidPlugin.class.php Diff File
mod - core/classes/MantisPlugin.class.php Diff File
add - core/classes/MissingClassPlugin.class.php Diff File
add - core/classes/MissingPlugin.class.php Diff File
mod - core/plugin_api.php Diff File
mod - lang/strings_english.txt Diff File
mod - manage_plugin_page.php Diff File
mod - manage_plugin_uninstall.php Diff File
mod - manage_plugin_upgrade.php Diff File

MantisBT: master-2.25 54ef8296

2023-04-13 10:31

dregad


Details Diff
Allow installation of plugins without dependencies

The refactoring of manage_plugin_page with objects [1] introduced a
regression, preventing user from installing plugins without any
dependencies (i.e. having 'requires' property null or empty array).

Fixes 0032390

[1]: issue 0026142, commit c1076a520e38fb823c61ef540c2cf7da6e58aec2
Affected Issues
0026142, 0032390
mod - manage_plugin_page.php Diff File