Last Comment Bug 477513 - md5_hex() fails if a saved search has UTF8 characters in it
: md5_hex() fails if a saved search has UTF8 characters in it
Status: RESOLVED FIXED
: regression
Product: Bugzilla
Classification: Server Software
Component: Query/Bug List (show other bugs)
: 3.2.2
: All All
: -- critical (vote)
: Bugzilla 3.2
Assigned To: Frédéric Buclin
: default-qa
:
Mentors:
: 477585 478193 480705 481661 (view as bug list)
Depends on: 466748
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-08 13:02 PST by A. Shimono [:himorin]
Modified: 2009-03-05 14:02 PST (History)
7 users (show)
LpSolit: approval+
LpSolit: approval3.2+
LpSolit: blocking3.2.3+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch, v1 (933 bytes, patch)
2009-02-08 15:44 PST, Frédéric Buclin
mkanat: review+
shimono: review+
Details | Diff | Splinter Review

Description A. Shimono [:himorin] 2009-02-08 13:02:43 PST
issue_hash_token(), introduced by last security fix, uses directly md5_hex with the internal data.
As the bug (or spec) of Digest:: modules, we must encode, using encode_utf8() or something, the utf-8 data before using md5_hex().

For the document, refer pod of the Digest::MD5.
Comment 1 Frédéric Buclin 2009-02-08 13:08:11 PST
Hum yeah, I can reproduce. If a saved search name has UTF8 characters in it, buglist.cgi and userprefs.cgi?tab=saved-searches both fails with:

undef error - Wide character in subroutine entry at Bugzilla/Token.pm line 183.
Comment 2 Frédéric Buclin 2009-02-08 13:10:21 PST
Err... I just tested on 3.0.8, and it's not affected by the problem.
Comment 3 Max Kanat-Alexander 2009-02-08 13:22:50 PST
Ahh, this is basically the same bug as bug 431201, then, just in a different place. What's funny is that, using the Digest.pm interface, this doesn't seem to happen (I tested it when I wrote the SHA-1 patch--maybe it's just not necessary for Digest::SHA, but it is necessary for Digest::MD5).
Comment 4 Frédéric Buclin 2009-02-08 15:44:46 PST
Created attachment 361189 [details] [diff] [review]
patch, v1

Use the same trick as in bug 453767.
Comment 5 Max Kanat-Alexander 2009-02-08 16:35:33 PST
Comment on attachment 361189 [details] [diff] [review]
patch, v1

Looks good to me. I assume you tested it and it works?
Comment 6 Frédéric Buclin 2009-02-08 16:37:03 PST
yup. But I also tested security patches, and they still regressed something. :-(
Comment 7 Frédéric Buclin 2009-02-09 10:19:45 PST
*** Bug 477585 has been marked as a duplicate of this bug. ***
Comment 8 Frédéric Buclin 2009-02-09 11:21:17 PST
tip:

Checking in Bugzilla/Token.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/Token.pm,v  <--  Token.pm
new revision: 1.58; previous revision: 1.57
done

3.2.2:

Checking in Bugzilla/Token.pm;
/cvsroot/mozilla/webtools/bugzilla/Bugzilla/Token.pm,v  <--  Token.pm
new revision: 1.55.2.2; previous revision: 1.55.2.1
done
Comment 9 A. Shimono [:himorin] 2009-02-09 11:55:41 PST
Comment on attachment 361189 [details] [diff] [review]
patch, v1

Sorry for late.
I've checked with our test site, and works well.
Comment 10 Frédéric Buclin 2009-02-12 04:20:38 PST
*** Bug 478193 has been marked as a duplicate of this bug. ***
Comment 11 Frédéric Buclin 2009-03-03 15:57:11 PST
*** Bug 480705 has been marked as a duplicate of this bug. ***
Comment 12 Frédéric Buclin 2009-03-05 14:02:05 PST
*** Bug 481661 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.