Closed Bug 42810 Opened 23 years ago Closed 22 years ago

Quotes in product or version field

Categories

(Bugzilla :: Query/Bug List, defect, P3)

Product:
Bugzilla
Component:
Query/Bug List
Platform:
x86
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.16

People

(Reporter: boris, Assigned: kiko)

References

Details

(Whiteboard: patch in hand, 2.14+ fix included)

Attachments

(2 files)

one-liner for query.cgi
670 bytes, patch
caillon
: review+
Details | Diff | Splinter Review
one-liner for globals.pl
622 bytes, patch
justdave
: review+
Details | Diff | Splinter Review 
If you place a single qoute "'" in one of the fields which is used by the
"selectComponent" JavaScript in the query page than the Java Script breaks.
Consequence: Quote everything that might break the JavaScript.
Whiteboard: 2.14
Whiteboard: 2.14 → 2.16
moving to real milestones...
Target Milestone: --- → Bugzilla 2.16
I've seen quotes cause three different error messages and I think they occur on
basically every page, at least these days.
-> Bugzilla product, Query component (bug it's a general quoting issue),
reassigning.
Assignee: tara → endico
Component: Bugzilla → Query/Bug List
Product: Webtools → Bugzilla
Whiteboard: 2.16
Version: other → unspecified
s/bug/but/
Whiteboard: [escape]
Did we just fix this with the query js update?  I know someone was discussing
quoting while you were working on it.

Need to verify if versioncache does it right, too, before marking this fixed
though. (see the bugs I'm about to mark dupes of this one).
*** Bug 95290 has been marked as a duplicate of this bug. ***
*** Bug 97312 has been marked as a duplicate of this bug. ***
Dave, I fixed it in the sense it's being quoted in the Javascript (see
http://landfill.tequilarista.org/bz96534/query4.cgi for instance clicking on
MyOwnBadSelf will show some pretty rad component names). As for the versioncache:

I'm looking at globals.pl, and AFAICS we use $p (the product name) as an index
into a lot of hashes - milestoneurl, proddesc, etc. I can't escape it there, I
guess (around line 480) because the \ would break hashes. So I don't really know
where it should be done. If it's okay to add a $p = SqlQuote($p) right in line
483, great.

I think quotes in versioncache can only break JavaScript, am I wrong? If that's
the case, make it policy to quote on use. Otherwise there's a lot that seems to
break. Or are escapes ignored by perl?
Assignee: endico → kiko
OS: Linux → All
Okay, found the problem - it's happening right now on my landfill install. Since
I'm gonna fix it, here's what it shows after adding MUCKY'PUP as a product:

Software error:
Bad name after PUPS' at data/versioncache line 4.

For help, please send mail to the webmaster
(webmaster@landfill.tequilarista.org), giving this error message and the time
and date of the error. Content-type: text/html
Software error:
[Fri Aug 31 15:08:03 2001] query.cgi: Bad name after PUPS' at data/versioncache
line 4. Compilation failed in require.

For help, please send mail to the webmaster
(webmaster@landfill.tequilarista.org), giving this error message and the time
and date of the error.
Status: NEW → ASSIGNED
Okay, I've fixed this. There was, yes, a problem with the versioncache _AND_
with the JS I wrote for 96534. I've added some extra quotes here and there and
it should work now. Waiting for r= on them

    
    

    
  


  

    
  
Keywords: patch, 
          
            review
Whiteboard: [escape] → patch in hand, 2.14+ fix included

    
    

    
  
Comment on attachment 47891 [details] [diff] [review]
one-liner for globals.pl

r= justdave on the perl patch.  no second review needed.

need an r= on the javascript still.

        Attachment #47891 -
        Flags: review+

    
    

    
  
Comment on attachment 47890 [details] [diff] [review]
one-liner for query.cgi

r=caillon

        Attachment #47890 -
        Flags: review+

    
    

    
  
OK, it's in.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED

    
    

    
  
*** Bug 114817 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 122662 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 135453 has been marked as a duplicate of this bug. ***

    
    

    
  
*** Bug 157025 has been marked as a duplicate of this bug. ***
QA Contact: matty_is_a_geek → default-qa

          You need to log in
          before you can comment on or make changes to this bug.