Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bad check for the first parameter in property_exists() (src/Api/API.php: Line 1983) #15227

Closed
2 tasks done
JJ2CC opened this issue Jul 17, 2023 · 0 comments · Fixed by #15228
Closed
2 tasks done

bad check for the first parameter in property_exists() (src/Api/API.php: Line 1983) #15227

JJ2CC opened this issue Jul 17, 2023 · 0 comments · Fixed by #15228

Comments

@JJ2CC
Copy link

JJ2CC commented Jul 17, 2023

Code of Conduct

  • I agree to follow this project's Code of Conduct

Is there an existing issue for this?

  • I have searched the existing issues

Version

10.0.7

Bug description

Dans le ficher src/Api/API.php (methode updateItems), Il y a une inohérence au niveau du check des arguments de property_exists.
Cette fonction vérifie si le premier argument est une chaine ou un objet, or en ligne1953 nous avons une condition qui fait que cet argument ne peut être qu'un tableau.

Lgn 1953: if (is_array($input)) { #on teste si input est un array
......
Lgn 1983: if (!property_exists($input, $fk_parent)) { # et la c'est le drame ..!

Cela va occasionner la génération d'une execption, D'ou le message 'Uncaught Exception TypeError: property_exists(): Argument #1 ($object_or_class) must be of type object|string, array given in /var/www/glpi-10.0.7/src/Api/API.php at line 1983'

Les conséquences:
Les appels à l' API pour updater des champs dans ces conditions ne se feront pas .
L'exception étant mal trappé , l'appel à l'API REST génèrera un code retour HTTP/200.
Seul le fichier d'er

Relevant log output

[2023-07-13 18:09:18] glpiphplog.CRITICAL:   *** Uncaught Exception TypeError: property_exists(): Argument #1 ($object_or_class) must be of type object|string, array given in /var/www/glpi-10.0.7/src/Api/API.php at line 1983
  Backtrace :
  src/Api/API.php:1985                               property_exists()
  src/Api/APIRest.php:326                            Glpi\Api\API->updateItems()
  apirest.php:57                                     Glpi\Api\APIRest->call()
  public/index.php:73                                require()

Page URL

No response

Steps To reproduce

-Deployer le plugin fields.

-Ajouter un champ supplémentaire 'toto' sur les 'computer'.

-Effectuer une recherche sur les computers en utilisant comme critère ''Plugins - Champs supplémentaires -Liste" et champ toto, afin de trouver l'id (présent dans l'url is_deleted=0&as_map=0&browse=0&criteria[0][link]=AND&criteria[0][field]=76811&criteria[0][searchtype]=notcontains&criteria[0][value]=^%24&itemtype=Compute ... ).
Sur mon instance, il s'ait donc de 76811.

-Effectue un call pour mette à jour ce champ.
curl --insecure -v --compressed -X PUT -v
-H "Content-Type: ${CONTENTTYPE}"
-H "App-Token: ${CFG_GLPI_CNX_API_TOKEN}"
-H "Session-Token: ${SESSION_TOKEN}"
-d '{
"input": {
"id": 76811,
"totofield": "Test"
}}' "${URL}"
;;

-Confirmer :
code retour HTTP est 200
maj non effective
exception présente dans le fichier glpi/files/_log/php-errors.log

Your GLPI setup information

Informations sur le système, l'installation et la configuration
GLPI 10.0.7 ( => /var/www/glpi-10.0.7)
Installation mode: TARBALL
Current language:fr_FR

Server
 
Operating system: Linux BURSVQAPPGLP101 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64
PHP 8.1.9 apache2handler (Core, FFI, PDO, Phar, Reflection, SPL, SimpleXML, Zend OPcache, apache2handler, bz2, calendar, ctype,
curl, date, dom, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, imap, intl, json, ldap, libxml, mbstring, mysqli,
mysqlnd, openssl, pcre, pdo_mysql, posix, readline, session, shmop, sockets, sodium, standard, sysvmsg, sysvsem, sysvshm,
tokenizer, xml, xmlreader, xmlrpc, xmlwriter, xsl, zip, zlib)
Setup: max_execution_time="30" memory_limit="128M" post_max_size="10M" safe_mode="" session.save_handler="files"
upload_max_filesize="10M"
Software: Apache/2.4.56 (Debian) (Apache/2.4.56 (Debian) Server at qualif-itsm.consortnt.fr Port 80
)
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Server Software: Debian 11
Server Version: 10.5.19-MariaDB-0+deb11u2
Server SQL Mode: STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
Parameters: glpi_dev@localhost/GLPI_10_0_7
Host info: Localhost via UNIX socket

PHP version (8.1.9) is supported.
Sessions configuration is OK.
Allocated memory is sufficient.
mysqli extension is installed.
Following extensions are installed: dom, fileinfo, json, simplexml.
curl extension is installed.
gd extension is installed.
intl extension is installed.
libxml extension is installed.
zlib extension is installed.
The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present.
Database engine version (10.5.19) is supported.
No files from previous GLPI version detected.
The log file has been created successfully.
Write access to /var/www/glpi-10.0.7/files/_cache has been validated.
Write access to /var/www/glpi-10.0.7/config has been validated.
Write access to /var/www/glpi-10.0.7/files/_cron has been validated.
Write access to /var/www/glpi-10.0.7/files has been validated.
Write access to /var/www/glpi-10.0.7/files/_dumps has been validated.
Write access to /var/www/glpi-10.0.7/files/_graphs has been validated.
Write access to /var/www/glpi-10.0.7/files/_lock has been validated.
Write access to /var/www/glpi-10.0.7/files/_pictures has been validated.
Write access to /var/www/glpi-10.0.7/files/_plugins has been validated.
Write access to /var/www/glpi-10.0.7/files/_rss has been validated.
Write access to /var/www/glpi-10.0.7/files/_sessions has been validated.
Write access to /var/www/glpi-10.0.7/files/_tmp has been validated.
Write access to /var/www/glpi-10.0.7/files/_uploads has been validated.

Web server root directory configuration seems safe.
PHP directive "session.cookie_httponly" should be set to "on" to prevent client-side script to access cookie values.
OS and PHP are relying on 64 bits integers.
exif extension is installed.
ldap extension is installed.
openssl extension is installed.
Following extensions are installed: bz2, Phar, zip.
Zend OPcache extension is installed.
Following extensions are installed: ctype, iconv, mbstring, sodium.
Write access to /var/www/glpi-10.0.7/marketplace has been validated.
Timezones seems loaded in database.

GLPI constants
 
GLPI_ROOT: "/var/www/glpi-10.0.7"
GLPI_CONFIG_DIR: "/var/www/glpi-10.0.7/config"
GLPI_VAR_DIR: "/var/www/glpi-10.0.7/files"
GLPI_MARKETPLACE_DIR: "/var/www/glpi-10.0.7/marketplace"
GLPI_USE_CSRF_CHECK: "1"
GLPI_CSRF_EXPIRES: "7200"
GLPI_CSRF_MAX_TOKENS: "100"
GLPI_USE_IDOR_CHECK: "1"
GLPI_IDOR_EXPIRES: "7200"
GLPI_ALLOW_IFRAME_IN_RICH_TEXT: false
GLPI_SERVERSIDE_URL_ALLOWLIST: ["/^(https?|feed):\/\/[^@:]+(\/.*)?$/"]
GLPI_TELEMETRY_URI: "https://telemetry.glpi-project.org"
GLPI_INSTALL_MODE: "TARBALL"
GLPI_NETWORK_MAIL: "glpi@teclib.com"
GLPI_NETWORK_SERVICES: "https://services.glpi-network.com"
GLPI_MARKETPLACE_ALLOW_OVERRIDE: true
GLPI_MARKETPLACE_MANUAL_DOWNLOADS: true
GLPI_USER_AGENT_EXTRA_COMMENTS: ""
GLPI_DISABLE_ONLY_FULL_GROUP_BY_SQL_MODE: "1"
GLPI_AJAX_DASHBOARD: "1"
GLPI_CALDAV_IMPORT_STATE: 0
GLPI_DEMO_MODE: "0"
GLPI_CENTRAL_WARNINGS: "1"
GLPI_DOC_DIR: "/var/www/glpi-10.0.7/files"
GLPI_CACHE_DIR: "/var/www/glpi-10.0.7/files/_cache"
GLPI_CRON_DIR: "/var/www/glpi-10.0.7/files/_cron"
GLPI_DUMP_DIR: "/var/www/glpi-10.0.7/files/_dumps"
GLPI_GRAPH_DIR: "/var/www/glpi-10.0.7/files/_graphs"
GLPI_LOCAL_I18N_DIR: "/var/www/glpi-10.0.7/files/_locales"
GLPI_LOCK_DIR: "/var/www/glpi-10.0.7/files/_lock"
GLPI_LOG_DIR: "/var/www/glpi-10.0.7/files/_log"
GLPI_PICTURE_DIR: "/var/www/glpi-10.0.7/files/_pictures"
GLPI_PLUGIN_DOC_DIR: "/var/www/glpi-10.0.7/files/_plugins"
GLPI_RSS_DIR: "/var/www/glpi-10.0.7/files/_rss"
GLPI_SESSION_DIR: "/var/www/glpi-10.0.7/files/_sessions"
GLPI_TMP_DIR: "/var/www/glpi-10.0.7/files/_tmp"
GLPI_UPLOAD_DIR: "/var/www/glpi-10.0.7/files/_uploads"
GLPI_INVENTORY_DIR: "/var/www/glpi-10.0.7/files/_inventories"
GLPI_NETWORK_REGISTRATION_API_URL: "https://services.glpi-network.com/api/registration/"
GLPI_MARKETPLACE_PLUGINS_API_URI: "https://services.glpi-network.com/api/glpi-plugins/"
GLPI_I18N_DIR: "/var/www/glpi-10.0.7/locales"
GLPI_VERSION: "10.0.7"
GLPI_SCHEMA_VERSION: "10.0.7@5d45269702917a32805e25b678f6779a98b145f6"
GLPI_MARKETPLACE_PRERELEASES: false
GLPI_MIN_PHP: "7.4.0"
GLPI_MAX_PHP: "8.3.0"
GLPI_YEAR: "2023"

Libraries
 
htmlawed/htmlawed version 1.2.9 in (/var/www/glpi-10.0.7/vendor/htmlawed/htmlawed)
phpmailer/phpmailer version 6.8.0 in (/var/www/glpi-10.0.7/vendor/phpmailer/phpmailer/src)
simplepie/simplepie version 1.5.8 in (/var/www/glpi-10.0.7/vendor/simplepie/simplepie/library)
tecnickcom/tcpdf version 6.6.2 in (/var/www/glpi-10.0.7/vendor/tecnickcom/tcpdf)
michelf/php-markdown in (/var/www/glpi-10.0.7/vendor/michelf/php-markdown/Michelf)
true/punycode in (/var/www/glpi-10.0.7/vendor/true/punycode/src)
iamcal/lib_autolink in (/var/www/glpi-10.0.7/vendor/iamcal/lib_autolink)
sabre/dav in (/var/www/glpi-10.0.7/vendor/sabre/dav/lib/DAV)
sabre/http in (/var/www/glpi-10.0.7/vendor/sabre/http/lib)
sabre/uri in (/var/www/glpi-10.0.7/vendor/sabre/uri/lib)
sabre/vobject in (/var/www/glpi-10.0.7/vendor/sabre/vobject/lib)
laminas/laminas-i18n in (/var/www/glpi-10.0.7/vendor/laminas/laminas-i18n/src)
laminas/laminas-servicemanager in (/var/www/glpi-10.0.7/vendor/laminas/laminas-servicemanager/src)
monolog/monolog in (/var/www/glpi-10.0.7/vendor/monolog/monolog/src/Monolog)
sebastian/diff in (/var/www/glpi-10.0.7/vendor/sebastian/diff/src)
donatj/phpuseragentparser in (/var/www/glpi-10.0.7/vendor/donatj/phpuseragentparser/src/UserAgent)
elvanto/litemoji in (/var/www/glpi-10.0.7/vendor/elvanto/litemoji/src)
symfony/console in (/var/www/glpi-10.0.7/vendor/symfony/console)
scssphp/scssphp in (/var/www/glpi-10.0.7/vendor/scssphp/scssphp/src)
laminas/laminas-mail in (/var/www/glpi-10.0.7/vendor/laminas/laminas-mail/src/Protocol)
laminas/laminas-mime in (/var/www/glpi-10.0.7/vendor/laminas/laminas-mime/src)
rlanvin/php-rrule in (/var/www/glpi-10.0.7/vendor/rlanvin/php-rrule/src)
blueimp/jquery-file-upload in (/var/www/glpi-10.0.7/vendor/blueimp/jquery-file-upload/server/php)
ramsey/uuid in (/var/www/glpi-10.0.7/vendor/ramsey/uuid/src)
psr/log in (/var/www/glpi-10.0.7/vendor/psr/log/Psr/Log)
psr/simple-cache in (/var/www/glpi-10.0.7/vendor/psr/simple-cache/src)
psr/cache in (/var/www/glpi-10.0.7/vendor/psr/cache/src)
league/csv in (/var/www/glpi-10.0.7/vendor/league/csv/src)
mexitek/phpcolors in (/var/www/glpi-10.0.7/vendor/mexitek/phpcolors/src/Mexitek/PHPColors)
guzzlehttp/guzzle in (/var/www/glpi-10.0.7/vendor/guzzlehttp/guzzle/src)
guzzlehttp/psr7 in (/var/www/glpi-10.0.7/vendor/guzzlehttp/psr7/src)
glpi-project/inventory_format in (/var/www/glpi-10.0.7/vendor/glpi-project/inventory_format/lib/php)
wapmorgan/unified-archive in (/var/www/glpi-10.0.7/vendor/wapmorgan/unified-archive/src)
paragonie/sodium_compat in (/var/www/glpi-10.0.7/vendor/paragonie/sodium_compat/src)
symfony/cache in (/var/www/glpi-10.0.7/vendor/symfony/cache)
html2text/html2text in (/var/www/glpi-10.0.7/vendor/html2text/html2text/src)
symfony/css-selector in (/var/www/glpi-10.0.7/vendor/symfony/css-selector)
symfony/dom-crawler in (/var/www/glpi-10.0.7/vendor/symfony/dom-crawler)
twig/twig in (/var/www/glpi-10.0.7/vendor/twig/twig/src)
twig/string-extra in (/var/www/glpi-10.0.7/vendor/twig/string-extra)
symfony/polyfill-ctype not found
symfony/polyfill-iconv not found
symfony/polyfill-mbstring not found
symfony/polyfill-php80 not found
symfony/polyfill-php81 not found
symfony/polyfill-php82 in (/var/www/glpi-10.0.7/vendor/symfony/polyfill-php82)
league/oauth2-client in (/var/www/glpi-10.0.7/vendor/league/oauth2-client/src/Provider)
league/oauth2-google in (/var/www/glpi-10.0.7/vendor/league/oauth2-google/src/Provider)
thenetworg/oauth2-azure in (/var/www/glpi-10.0.7/vendor/thenetworg/oauth2-azure/src/Provider)

LDAP directories
 
Server: 'scspgp06', Port: '389', BaseDN: 'DC=consortnt-grp,DC=fr', Connection filter:
'(&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))', RootDN:
'CN=Administrateur,CN=Users,DC=consortnt-grp,DC=fr', Use TLS: none

SQL replicas
 
Not active

Notifications
 
Way of sending emails: PHP

Plugins list
 
appliances Name: Applicatifs Version: 3.1.1 State: Error / to clean
Install Method: Manual
webapplications Name: Applications Web Version: 3.0.0 State: Error / to clean
Install Method: Manual
badges Name: Badges Version: 3.0.0 State: Enabled
Install Method: Manual
databases Name: Bases de données Version: 2.3.2 State: Error / to clean
Install Method: Manual
fields Name: Champs supplémentaires Version: 1.20.4 State: Enabled
Install Method: Manual
behaviors Name: Comportements Version: 2.7.2 State: Enabled
Install Method: Manual
accounts Name: Comptes Version: 3.0.3 State: Enabled
Install Method: Manual
datainjection Name: Data Injection Version: 2.13.0 State: Enabled
Install Method: Manual
environment Name: Environnement Version: 2.4.1 State: Error / to clean
Install Method: Manual
glpiinventory Name: GLPI Inventory Version: 1.2.1 State: Enabled
Install Method: Manual
myawebservice Name: MYA WEB SERVICE Version: 1.0.32 State: Error / to clean
Install Method: Manual
mreporting Name: Plus de rapports Version: 1.8.2 State: Enabled
Install Method: Manual
validationchange Name: Validation change Version: 1.0.1 State: Error / to clean
Install Method: Manual

Anything else?

L'appel curl est fonctionnel en 9.5.11
Le probleme semble exister pour toute version de glpi >= 10.0.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant