When adding a new attachment, data inserted in the bugs_activity table are quoted

RESOLVED FIXED in Bugzilla 3.0

Status

()

Bugzilla
Attachments & Requests
RESOLVED FIXED
12 years ago
12 years ago

People

(Reporter: Frédéric Buclin, Assigned: Frédéric Buclin)

Tracking

({regression})

2.23
Bugzilla 3.0
regression
Bug Flags:
approval +

Details

Attachments

(1 attachment)

2.09 KB, patch
Olav Vitters
: review+
Greg Hendricks
: review+
Vlad Dascalu
: review+
Details | Diff | Splinter Review
(Assignee)

Description

12 years ago
From attachment.cgi, around line 1075:

      @oldvalues = map($dbh->quote($_), @oldvalues);
      @newvalues = map($dbh->quote($_), @newvalues);

      # Update the bug record. Note that this doesn't involve login_name.
      $dbh->do("UPDATE bugs SET delta_ts = ?, " . 
              join(", ", map("$fields[$_] = $newvalues[$_]", (0..3))) . 
              " WHERE bug_id = ?", undef, ($timestamp, $bugid));

      # Add the changes to the bugs_activity table
      my $sth = $dbh->prepare("INSERT INTO bugs_activity 
                                 (bug_id, who, bug_when, fieldid, removed, added)
                          VALUES (?,?,?,?,?,?)"); 

      for (my $i = 0; $i < 4; $i++) {
          if ($oldvalues[$i] ne $newvalues[$i]) {
              my $fieldid = get_field_id($fields[$i]);
              $sth->execute($bugid, $userid, $timestamp, 
                            $fieldid, $oldvalues[$i], $newvalues[$i]);
          }
      }      

The 'bugs' table is correctly updated, but the 'bugs_activity' table isn't as we use both $dbh->quote() and placeholders. Now all data inserted in the bugs_activity table from here are quoted.
(Assignee)

Comment 1

12 years ago
This is a regression from bug 303688.
Depends on: 303688
(Assignee)

Comment 2

12 years ago
Created attachment 224233 [details] [diff] [review]
patch, v1
Assignee: attach-and-request → LpSolit
Status: NEW → ASSIGNED
Attachment #224233 - Flags: review?
(Assignee)

Updated

12 years ago
Attachment #224233 - Flags: review? → review?(bugzilla-mozilla)

Comment 3

12 years ago
Comment on attachment 224233 [details] [diff] [review]
patch, v1

>Index: attachment.cgi
>+               join(', ', map("$fields[$_] = ?", (0..3))) . ' WHERE bug_id = ?',

Nit: This line is 81 chars. (found something :-)

Passes all my tests (checked before patch + after) + reviewed every line in the patch.
Attachment #224233 - Flags: review?(ghendricks)
Attachment #224233 - Flags: review?(bugzilla-mozilla)
Attachment #224233 - Flags: review+

Comment 4

12 years ago
Comment on attachment 224233 [details] [diff] [review]
patch, v1

I really should have caught this when I updated the sql routines. Good job LpSolit.
Attachment #224233 - Flags: review?(ghendricks) → review+

Updated

12 years ago
Flags: approval?

Updated

12 years ago
Attachment #224233 - Flags: review+

Comment 5

12 years ago
I've opened up bug 340160 in order to follow-up the performance hit that we're introducing.
Flags: approval? → approval+
(Assignee)

Comment 6

12 years ago
Checking in attachment.cgi;
/cvsroot/mozilla/webtools/bugzilla/attachment.cgi,v  <--  attachment.cgi
new revision: 1.110; previous revision: 1.109
done
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
(Assignee)

Updated

12 years ago
Summary: When adding a new attachment, data inserted in the bugs_activity are quoted → When adding a new attachment, data inserted in the bugs_activity table are quoted
You need to log in before you can comment on or make changes to this bug.