Open Bug 364096 Opened 18 years ago Updated 11 years ago

The 'mybugstemplate' parameter is not filtered in templates (and its default value should use & instead of &)

Categories

(Bugzilla :: Administration, task)

Product:
Bugzilla
Component:
Administration
Version:
2.23.3
Type:
task
Priority:
Not set
Severity:
minor

Tracking

()

Status:
ASSIGNED

People

(Reporter: reed, Assigned: reed)

References

Details

Attachments

(1 file, 2 obsolete files)

Use & and add filter - v2
3.63 KB, patch
LpSolit
: review-
Details | Diff | Splinter Review 
Currently, mybugstemplate uses & and defaultquery uses &. The two parameters either both need to use & or both need to use &. Using & will generate invalid HTML unless the href is filtered with url_quote first. & is valid HTML.
Attached patch Use & for both - v1 (obsolete) — Splinter Review 
Use & for both.
Assignee: administration → reed
Status: NEW → ASSIGNED
Attachment #248886 - Flags: review?(LpSolit)
Attached patch Use & for both - v1 (obsolete) — Splinter Review 
Use & for both.
Attachment #248887 - Flags: review?(LpSolit)
Please choose one patch or the other, depending on what you decide to do. I will fix the issue of the url_quote filter not being used in another bug, so I haven't included it in the & one.
Comment on attachment 248886 [details] [diff] [review]
Use & for both - v1

Too dangerous as an admin could change it back to &, by accident.
Attachment #248886 - Flags: review?(LpSolit) → review-
Comment on attachment 248887 [details] [diff] [review]
Use & for both - v1

Some places are not correctly filtered with this change. They must be fixed in the same patch.
Attachment #248887 - Flags: review?(LpSolit) → review-
Use & for mybugstemplate and then add FILTER html to places that were missing it.
Attachment #248886 - Attachment is obsolete: true
Attachment #248887 - Attachment is obsolete: true
Attachment #248926 - Flags: review?(LpSolit)
> Created an attachment (id=248926) [edit]

you should add a note on the admin page (admin/params/query...),
 something like:
<br>Note " _
"that this value will be escaped so use unescaped " _
"strings e.g.: &amp; instead of &amp;amp;.
The problem with this bug/patch is that the query stored in data/params should be converted too, independently of the fix choosen (&amp; or & for both queries). I tested attachment 248926 [details] [diff] [review], and Apache seems to be able to parse it correctly anyway, despite the URL is now:

https://localhost/bugzilla/buglist.cgi?bug_status=UNCONFIRMED&amp;bug_status=NEW&amp;bug_status=ASSIGNED&amp;bug_status=REOPENED&amp;emailassigned_to1=1&amp;emailreporter1=1&amp;emailtype1=exact&amp;email1=LpSolit%40netscape.net&amp;field0-0-0=bug_status&amp;type0-0-0=notequals&amp;value0-0-0=UNCONFIRMED&amp;field0-0-1=reporter&amp;type0-0-1=equals&amp;value0-0-1=LpSolit%40netscape.net

When I click the "Edit Search" link, I get the following weird URL:

https://localhost/bugzilla/query.cgi?amp=&amp=&amp=&amp=&amp=&amp=&amp=&amp=&amp=&amp=&amp=&amp=&amp=&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&email1=LpSolit%40netscape.net&emailassigned_to1=1&emailreporter1=1&emailtype1=exact&field-1-0-0=bug_status&field-1-1-0=assigned_to&field-1-1-1=reporter&field0-0-0=bug_status&field0-0-1=reporter&query_format=advanced&remaction=&type-1-0-0=anyexact&type-1-1-0=anyexact&type-1-1-1=anyexact&type0-0-0=notequals&type0-0-1=equals&value-1-0-0=UNCONFIRMED%2CNEW%2CASSIGNED%2CREOPENED&value-1-1-0=LpSolit%40netscape.net&value-1-1-1=LpSolit%40netscape.net&value0-0-0=UNCONFIRMED&value0-0-1=LpSolit%40netscape.net

Don't ask me how this URL has been generated, I have no idea. But the query form is correctly filed. So I may accept this patch as is, but I want some feedback/comments first.
Comment on attachment 248926 [details] [diff] [review]
Use & and add filter - v2

Per discussion with mkanat on IRC, this patch still has to convert the 'mybugstemplate' parameter stored in data/params. You do it from Bugzilla::Config::update_params().
Attachment #248926 - Flags: review?(LpSolit) → review-
The Bugzilla 3.0 branch is now locked to security bugs and dataloss fixes only. This bug doesn't fit into one of these two categories and is retargetted to 3.2 as part of a mass-change. To catch bugmails related to this mass-change, use lts081207 in your email client filter.
Target Milestone: Bugzilla 3.0 → Bugzilla 3.2
Bugzilla 3.2 is restricted to security bugs only. Moreover, this bug is either assigned to nobody or got no traction for several months now. Rather than retargetting it at each new release, I'm clearing the target milestone and the bug will be retargetted to some sensible release when someone starts fixing this bug for real (Bugzilla 3.8 more likely).
Target Milestone: Bugzilla 3.2 → ---
Summary: Bugzilla/Config/Query.pm's defaults for mybugstemplate and defaultquery should either use &amp; or &, not both! → The 'mybugstemplate' parameter is not filtered in templates (and its default value should use & instead of &amp;)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: