Can't get legal values for attachments.status

VERIFIED INVALID

Status

()

VERIFIED INVALID
9 years ago
9 years ago

People

(Reporter: otaylor, Unassigned)

Tracking

Details

Attachments

(1 attachment)

(Reporter)

Description

9 years ago
Created attachment 397477 [details] [diff] [review]
Patch as described

Trying to call the Bug.legal_values method on the field 'attachments.status' produces:

 xmlrpclib.Fault: <Fault -32000: 'DBD::mysql::db selectcol_arrayref failed: SELECT command denied to user \'bugzilla\'@\'localhost\' for table \'status\' [for Statement "SELECT value FROM attachments.status\n           WHERE isactive = ?\n        ORDER BY sortkey, value"] at Bugzilla/Field.pm line 881\n\tBugzilla::Field::get_legal_field_values(\'attachments.status\') called at Bugzilla/WebService/Bug.pm line 312\n\tBugzilla::WebService::Bug::legal_values(\'Bugzilla::WebService::Bug\', \'HASH(0x3beda28)\') called at /usr/lib/perl5/vendor_perl/5.10.0/SOAP/Lite.pm line 2744\n\teval {...} called at /usr/lib/perl5/vendor_perl/5.10.0/SOAP/Lite.pm line 2729\n\teval {...} called at /usr/lib/perl5/vendor_perl/5.10.0/SOAP/Lite.pm line 2695\n\tSOAP::Server::handle(\'Bugzilla::WebService::Server::XMLRPC=HASH(0x397ba68)\', \'<?xml version=\\\'1.0\\\'?>\\x{a}<methodCall>\\x{a}<methodName>Bug.legal_va...\') called at /usr/lib/perl5/vendor_perl/5.10.0/SOAP/Transport/HTTP.pm line 394\n\tSOAP::Transport::HTTP::Server::handle(\'Bugzilla::WebService::Server::XMLRPC=HASH(0x397ba68)\') called at /usr/lib/perl5/vendor_perl/5.10.0/SOAP/Transport/HTTP.pm line 515\n\tSOAP::Transport::HTTP::CGI::handle(\'Bugzilla::WebService::Server::XMLRPC=HASH(0x397ba68)\') called at /var/www/bugzilla-emblems/xmlrpc.cgi line 47\n'>

I'll attach a patch that fixes the problem by using the legal_field_values method on Bugzilla::Field rather than Bugzilla::Field::get_legal_field_values, but I'm not sure if get_legal_field_values should be fixed instead or in addition of this.

Comment 1

9 years ago
This looks invalid to me. "SELECT command denied to user \'bugzilla\'@\'localhost\" looks like a permission problem to me. Also, I don't know how you managed to inject your string directly in the SQL query.
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → INVALID

Comment 2

9 years ago
Yeah, also, there is no attachments.status field in upstream Bugzilla.
Status: RESOLVED → VERIFIED
(Reporter)

Comment 3

9 years ago
The point that attachments.status is not upstream is a valid one, realized that after filing the bug :-)

But there is no permissions problem involved here. 

If you assume that you have a field that:

 A) Is a select
 B) Has a dot in the name

Upstream has plenty of both, but no combinations of the two, then it's obvious what happens - the field name gets passed directly to:

sub get_legal_field_values {
    my ($field) = @_;
    my $dbh = Bugzilla->dbh;
    my $result_ref = $dbh->selectcol_arrayref(
         "SELECT value FROM $field
           WHERE isactive = ?
        ORDER BY sortkey, value", undef, (1));
    return $result_ref;
}

Which is a request to access the 'status' field of the attachments database. 

The way it is working when get_legal_field_values() isn't directly selecting from the database is that bbaetz used the CLASS_MAP feature of Bugzilla::Field::Choice.pm to redirect the attachments.status field to a custom class:

     product    => 'Bugzilla::Product',
+    'attachments.status' => 'Bugzilla::AttachmentStatus',

And Bugzilla::AttachmentStatus has:

     use constant DB_TABLE => 'attachment_status';

That looks legitimate to me, so my interpretation is that this reflects a real bug in the Bugzilla codebase that just isn't triggered by the current set of fields.

Max: do you want me to refile this in GNOME bugzilla?

Comment 4

9 years ago
(In reply to comment #3)
> Max: do you want me to refile this in GNOME bugzilla?

  Yeah, with all the info in that comment, if you could.
You need to log in before you can comment on or make changes to this bug.