1088086 - Possible duplicate search doesn't return any results if you input "a->b" (for any a/b)

Status: RESOLVED FIXED

(Bugzilla :: Database, defect)

Description

[:Gijs (he/him)]

Probably an HTML escaping issue? Marking s-s until we're sure this isn't exploitable in any way (I expect not, but even so, better safe than sorry, yada yada).

Comment 1

[:glob ✱]

what do you mean by "breaks" exactly?

when i try this, i don't see any error messages, and the search appears to execute correctly.

Comment 2

[:Gijs (he/him)]

(In reply to Byron Jones ‹:glob› from comment #1)
> what do you mean by "breaks" exactly?
> 
> when i try this, i don't see any error messages, and the search appears to
> execute correctly.

I mean there are never any results.

Comment 3

[:Gijs (he/him)]

In particular, on:

https://bugzilla.mozilla.org/enter_bug.cgi?product=bugzilla.mozilla.org&component=Extensions%3A%20GuidedBugEntry

if I put in:

"Guided bug flow should"

I get a number of results.

If I put in:

"Guided bug flow->should"

or

"Guided bug flow should top->bottom"

I get 0 results.

Comment 4

[:glob ✱]

this looks like bad quoting when generating the full-text search query.

the following sql is generated:
> MATCH(bugs_fulltext.short_desc) AGAINST('\\"guided|should|a->b\\"' IN BOOLEAN MODE)
it should be:
> MATCH(bugs_fulltext.short_desc) AGAINST('guided|should|\\"a->b\\"' IN BOOLEAN MODE)

i suspect B::DB::Mysql::sql_fulltext_search() needs to split $text on boolean operators before quoting un-quoted compound words.

Comment 5

[:Gijs (he/him)]

(In reply to Byron Jones ‹:glob› from comment #4)
> this looks like bad quoting when generating the full-text search query.
> 
> the following sql is generated:
> > MATCH(bugs_fulltext.short_desc) AGAINST('\\"guided|should|a->b\\"' IN BOOLEAN MODE)
> it should be:
> > MATCH(bugs_fulltext.short_desc) AGAINST('guided|should|\\"a->b\\"' IN BOOLEAN MODE)
> 
> i suspect B::DB::Mysql::sql_fulltext_search() needs to split $text on
> boolean operators before quoting un-quoted compound words.

Does this also explain that the same thing happens for e.g.:

"Remove timeouts for panel hiding/showing listeners in browser/**/head.js"

? (removing the double '**' fixes this)

Comment 6

[:glob ✱]

(In reply to :Gijs Kruitbosch from comment #5)
> Does this also explain that the same thing happens for e.g.:
> "Remove timeouts for panel hiding/showing listeners in browser/**/head.js"
> ? (removing the double '**' fixes this)

yes, that's the same issue.

Comment 7

[:glob ✱]

Attachment: 1088086_1.patch

Comment 8

[Dylan Hardison [:dylan] (he/him)]

Comment on attachment 8552956 [details] [diff] [review]
1088086_1.patch

Review of attachment 8552956 [details] [diff] [review]:
-----------------------------------------------------------------

r=dylan

Comment 9

[:Gijs (he/him)]

Did this not land yet?

I'm also seeing issues when my summary is:

Reader mode offered on index/"home" pages rather than articles


Is that the same bug, or should I file a new one?

Comment 10

[:glob ✱]

(In reply to :Gijs Kruitbosch from comment #9)
> Did this not land yet?

this is an upstream "bugzilla the product" bug so even if it were marked as resolved/fixed, it doesn't mean it will automatically be deployed to bmo.

dylan forgot to ask for approval, so this bug was sitting in upstream limbo.


sorry about that; requesting approval (from myself); i'll circle back around to this once this coffee starts working and ensure it's committed to the bmo repo as well as bugzilla itself.

Comment 11

[:glob ✱]

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   9ec7ae7..720e7d4  master -> master

To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   16009fb..9f1e365  5.0 -> 5.0

and bmo:

To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   ac997a9..3978f0c  master -> master