42810 - Quotes in product or version field

Status: RESOLVED FIXED

(Bugzilla :: Query/Bug List, defect, P3)

Description

[Boris Boehlen]

If you place a single qoute "'" in one of the fields which is used by the
"selectComponent" JavaScript in the query page than the Java Script breaks.
Consequence: Quote everything that might break the JavaScript.

Comment 1

[Dave Miller [:justdave]]

moving to real milestones...

Comment 2

[Matthew Tuck [:CodeMachine]]

I've seen quotes cause three different error messages and I think they occur on
basically every page, at least these days.

Comment 3

[Andreas Franke (gone)]

-> Bugzilla product, Query component (bug it's a general quoting issue),
reassigning. 

Comment 4

[Andreas Franke (gone)]

s/bug/but/

Comment 5

[Dave Miller [:justdave]]

Did we just fix this with the query js update?  I know someone was discussing
quoting while you were working on it.

Need to verify if versioncache does it right, too, before marking this fixed
though. (see the bugs I'm about to mark dupes of this one).

Comment 6

[Dave Miller [:justdave]]

*** Bug 95290 has been marked as a duplicate of this bug. ***

Comment 7

[Dave Miller [:justdave]]

*** Bug 97312 has been marked as a duplicate of this bug. ***

Comment 8

[Christian Reis]

Dave, I fixed it in the sense it's being quoted in the Javascript (see
http://landfill.tequilarista.org/bz96534/query4.cgi for instance clicking on
MyOwnBadSelf will show some pretty rad component names). As for the versioncache:

I'm looking at globals.pl, and AFAICS we use $p (the product name) as an index
into a lot of hashes - milestoneurl, proddesc, etc. I can't escape it there, I
guess (around line 480) because the \ would break hashes. So I don't really know
where it should be done. If it's okay to add a $p = SqlQuote($p) right in line
483, great.

I think quotes in versioncache can only break JavaScript, am I wrong? If that's
the case, make it policy to quote on use. Otherwise there's a lot that seems to
break. Or are escapes ignored by perl?

Comment 9

[Christian Reis]

Okay, found the problem - it's happening right now on my landfill install. Since
I'm gonna fix it, here's what it shows after adding MUCKY'PUP as a product:

Software error:
Bad name after PUPS' at data/versioncache line 4.

For help, please send mail to the webmaster
(webmaster@landfill.tequilarista.org), giving this error message and the time
and date of the error. Content-type: text/html
Software error:
[Fri Aug 31 15:08:03 2001] query.cgi: Bad name after PUPS' at data/versioncache
line 4. Compilation failed in require.

For help, please send mail to the webmaster
(webmaster@landfill.tequilarista.org), giving this error message and the time
and date of the error.

Comment 10

[Christian Reis]

Okay, I've fixed this. There was, yes, a problem with the versioncache _AND_
with the JS I wrote for 96534. I've added some extra quotes here and there and
it should work now. Waiting for r= on them

Comment 11

[Christian Reis]

Attachment: one-liner for query.cgi

Comment 12

[Christian Reis]

Attachment: one-liner for globals.pl

Comment 13

[Dave Miller [:justdave]]

Comment on attachment 47891 [details] [diff] [review]
one-liner for globals.pl

r= justdave on the perl patch.  no second review needed.

need an r= on the javascript still.

Comment 14

[Christopher Aillon (sabbatical, not receiving bugmail)]

Comment on attachment 47890 [details] [diff] [review]
one-liner for query.cgi

r=caillon

Comment 15

[Jacob Steenhagen]

OK, it's in.

Comment 16

[Dave Miller [:justdave]]

*** Bug 114817 has been marked as a duplicate of this bug. ***

Comment 17

[Chris Garriga]

*** Bug 122662 has been marked as a duplicate of this bug. ***

Comment 18

[Bradley Baetz (:bbaetz)]

*** Bug 135453 has been marked as a duplicate of this bug. ***

Comment 19

[Bradley Baetz (:bbaetz)]

*** Bug 157025 has been marked as a duplicate of this bug. ***