Edgewall Software

Changes between Initial Version and Version 1 of Ticket #2759


Ignore:
Timestamp:
Feb 14, 2006, 9:48:06 AM (16 years ago)
Author:
Christopher Lenz
Comment:

(fixed description)

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #2759 – Description

    initial v1  
    33While looking through Trac's Search stuff in trunk, I've noticed that the search logic is far too easily fooled (some requires malicious intent, some does not.  Here are some examples (I have quoted what I actually searched for; that does not mean I used quotes in the text input field unless there are quotes inside the string):
    44
    5 1) searching for "'core feature'" returns 1 result (not highlighted)
    6 2) " 'core feature'" returns 0 results; the problem is the query_to_sql() function only matches quotes at the beginning or end of the query.  If someone wants to do a moderately complex search (ie, "foo 'bar baz'"), they will not get the results they expect.
    7 3) ""core feature"" returns 1 result, and replaces the " with " in the text input field.
    8 4) ""core feature"" (which is what the text input window contains after searching for ""core feature"") returns 0 results
    9 5) "a" fails the 'too short' test.
    10 6) "%a%" happily returns every result in the database.
    11 7) "_a_" also will return every result in the database.
    12 8) ditto for "'a'"
    13 9) "\%a" doesn't actually tell me how many results it finds (i assume the sql query it's running is invalid, but I'm not sure how to turn on query logging in sqlite).  It returns 4 wiki pages, however.
     5 1. searching for "'core feature'" returns 1 result (not highlighted)
     6 2. " 'core feature'" returns 0 results; the problem is the query_to_sql() function only matches quotes at the beginning or end of the query.  If someone wants to do a moderately complex search (ie, "foo 'bar baz'"), they will not get the results they expect.
     7 3. ""core feature"" returns 1 result, and replaces the " with " in the text input field.
     8 4. ""core feature"" (which is what the text input window contains after searching for ""core feature"") returns 0 results
     9 5. "a" fails the 'too short' test.
     10 6. "%a%" happily returns every result in the database.
     11 7. "_a_" also will return every result in the database.
     12 8. ditto for "'a'"
     13 9. "\%a" doesn't actually tell me how many results it finds (i assume the sql query it's running is invalid, but I'm not sure how to turn on query logging in sqlite).  It returns 4 wiki pages, however.
    1414
    15 These are all done on a fresh, default Trac install (r2894).  #9 is worrisome, as if there is unquoted sql making its way into the database, that's a security risk.  I will follow up shortly w/ a patch to rework this search stuff.
     15These are all done on a fresh, default Trac install (r2894).  9 is worrisome, as if there is unquoted sql making its way into the database, that's a security risk.  I will follow up shortly w/ a patch to rework this search stuff.