285090 - crash in describecomponents.cgi if a normal user click on components link from query.cgi

Status: RESOLVED FIXED

(Bugzilla :: Query/Bug List, defect, P2)

Description

[Liviu Coman]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1

I created a new product with security data sets (that mean a group was created
for this product). Then I created a user that belong to this group. When I log
in with  
this user I land on query page "Simple Mode". I click on Advance Mode and I see
than only the Product & Componets that I created above. 
If a click on component link I receive:

Software error:

DBD::mysql::st execute failed: You have an error in your SQL syntax.  Check the
manual that corresponds to your MySQL server version for the right syntax to use
near 'ORDER BY name' at line 1 [for Statement "SELECT name, initialowner,
initialqacontact, description FROM components WHERE product_id =  ORDER BY
name"] at Bugzilla/DB.pm line 62
	Bugzilla::DB::SendSQL('SELECT name, initialowner, initialqacontact, description
FROM co...') called at /home/docroot/bugzilla/htdocs/describecomponents.cgi line 88



Reproducible: Always

Comment 1

[Liviu Coman]

update title

Comment 2

[Joel Peshkin]

Easy to make this happen... you should not even need to have any special
privilege set up.
The query is being done using $product_id which is only set if you use
describecomponents to find components of a specific product.
It needs to be fixed to convert the product name to an id before the query.

Comment 3

[Albert Ting]

I'm not seeing this problem.  Describecomponents.cgi automatically creates a
"choose-product" if you don't specify a product in the first place.  

How many products do you have?  Looking at the code, I think there is a boundary
case when you only have one product, or rather, only one product that the
specific user can access.  

Try this patch and see what happens:

--- describecomponents.cgi~     2005-03-07 13:40:28.000000000 -0800
+++ describecomponents.cgi      2005-03-07 13:40:52.000000000 -0800
@@ -78,6 +78,7 @@
     }

     $product = (keys %products)[0];
+    $product_id = get_product_id($product);
 }

Comment 4

[Joel Peshkin]

exactly

Comment 5

[Liviu Coman]

Albert Ting:
"Looking at the code, I think there is a boundary
case when you only have one product, or rather, only one product that the
specific user can access." 

This was the problem with my Bugzilla: I had only one product that the
specific user can access.

Thanks,
Liviu

Comment 6

[Albert Ting]

Attachment: 2.19.2+ patch

Not sure why I got CC'd on this ticket, but here's what I think is the correct
fix.

Comment 7

[Joel Peshkin]

Comment on attachment 176746 [details] [diff] [review]
2.19.2+ patch

r=joel

(originally, I suspected it was a regression from classifications ... it
wasn't)

Comment 8

[Shane H. W. Travis]

Checking in describecomponents.cgi;
/cvsroot/mozilla/webtools/bugzilla/describecomponents.cgi,v  <--  
describecomponents.cgi
new revision: 1.29; previous revision: 1.28
done

Comment 9

[Frédéric Buclin]

*** Bug 287235 has been marked as a duplicate of this bug. ***

Comment 10

[Susan Cassidy]

This crash also happened in my Bugzilla 2.18 installation (new install) when I 
just clicked on the "Components" link on the Advanced Search page.  That link 
is just a "describecomponents.cgi" link with no parameters, so the product 
form variable is not set when describecomponents is called.

The code basically said: if product_id is not set, do some stuff, then run an 
SQL statement referencing product_id.  I discovered independently the same fix 
entered by Albert Ting, to set product_id based on product at the end of the 
code block just before the SendSQL call.

I entered this comment in the hope that it may help other people find this 
problem/solution.