Edgewall Software

Opened 18 years ago

Last modified 10 years ago

#2759 closed defect

Search query is too simplistic — at Version 1

Reported by: Andres Salomon <dilinger@…> Owned by: Jonas Borgström
Priority: normal Milestone: 0.10
Component: search system Version: none
Severity: major Keywords:
Cc: dserodio@… Branch:
Release Notes:
API Changes:
Internal Changes:

Description (last modified by Christopher Lenz)

Hi,

While looking through Trac's Search stuff in trunk, I've noticed that the search logic is far too easily fooled (some requires malicious intent, some does not. Here are some examples (I have quoted what I actually searched for; that does not mean I used quotes in the text input field unless there are quotes inside the string):

  1. searching for "'core feature'" returns 1 result (not highlighted)
  2. " 'core feature'" returns 0 results; the problem is the query_to_sql() function only matches quotes at the beginning or end of the query. If someone wants to do a moderately complex search (ie, "foo 'bar baz'"), they will not get the results they expect.
  3. ""core feature"" returns 1 result, and replaces the " with &#34; in the text input field.
  4. "&#34;core feature&#34;" (which is what the text input window contains after searching for ""core feature"") returns 0 results
  5. "a" fails the 'too short' test.
  6. "%a%" happily returns every result in the database.
  7. "_a_" also will return every result in the database.
  8. ditto for "'a'"
  9. "\%a" doesn't actually tell me how many results it finds (i assume the sql query it's running is invalid, but I'm not sure how to turn on query logging in sqlite). It returns 4 wiki pages, however.

These are all done on a fresh, default Trac install (r2894). 9 is worrisome, as if there is unquoted sql making its way into the database, that's a security risk. I will follow up shortly w/ a patch to rework this search stuff.

Change History (3)

comment:1 by Christopher Lenz, 18 years ago

Description: modified (diff)

(fixed description)

by Andres Salomon <dilinger@…>, 18 years ago

Attachment: trac-search-r2894.patch added

handle search quoting more intelligently; against r2894.

by Andres Salomon <dilinger@…>, 18 years ago

Attachment: trac-search2-r2894.patch added

don't replace quotes w/ html entities; against r2894

Note: See TracTickets for help on using tickets.