Closed
Bug 96003
Opened 23 years ago
Closed 22 years ago
buglist.cgi shouldn't find all bugs if loaded without parameters
Categories
(Bugzilla :: Query/Bug List, defect, P3)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.18
People
(Reporter: myk, Assigned: gerv)
References
Details
Attachments
(1 file, 1 obsolete file)
1005 bytes,
patch
|
Details | Diff | Splinter Review |
buglist.cgi got into my URL history somehow, and now I sometimes accidentally select it from the auto-completion list as I am typing in a Bugzilla URL. When I do, it queries the database for all bugs and tries to display the list (until I cancel the request). Instead of doing this, it should display an error or forward me to query.cgi.
Comment 1•23 years ago
|
||
I don't think I like this one. I have, on occation, bookmarked a query with the intention of being able to run it directly without stopping at query.cgi. In fact, I have a bookmarked Bugzilla 2.14 query (which runs my stored query).
Reporter | ||
Comment 2•23 years ago
|
||
Correctly misleading summary. What I meant to say is only that the following URL shouldn't work: http://bugzilla.mycompany.com/buglist.cgi
Summary: buglist.cgi shouldn't find all bugs if loaded directly → buglist.cgi shouldn't find all bugs if loaded without parameters
Comment 3•23 years ago
|
||
I don't think that's what he meant, Jake. I think he meant if you ran it without any query parms.
Summary: buglist.cgi shouldn't find all bugs if loaded without parameters → buglist.cgi shouldn't find all bugs if loaded directly
Comment 4•23 years ago
|
||
grrr
Summary: buglist.cgi shouldn't find all bugs if loaded directly → buglist.cgi shouldn't find all bugs if loaded without parameters
Comment 5•23 years ago
|
||
OK, that makes much more sense :)
Updated•23 years ago
|
Priority: -- → P3
Target Milestone: --- → Bugzilla 2.16
Comment 6•23 years ago
|
||
Moving to new Bugzilla product ...
Assignee: justdave → endico
Component: Bugzilla → Query/Bug List
Product: Webtools → Bugzilla
Version: Bugzilla 2.13 → 2.13
Comment 7•23 years ago
|
||
We are currently trying to wrap up Bugzilla 2.16. We are now close enough to release time that anything that wasn't already ranked at P1 isn't going to make the cut. Thus this is being retargetted at 2.18. If you strongly disagree with this retargetting, please comment, however, be aware that we only have about 2 weeks left to review and test anything at this point, and we intend to devote this time to the remaining bugs that were designated as release blockers.
Target Milestone: Bugzilla 2.16 → Bugzilla 2.18
Assignee | ||
Comment 9•22 years ago
|
||
This redirects to query.cgi if no parameters are given. Gerv
Reporter | ||
Comment 10•22 years ago
|
||
We need to also test for the case where there are parameters but no search criteria. If you unselect "NEW", "ASSIGNED", and "REOPENED" on the query page and submit the form there will be a bunch of parameters in the URL but no actual search criteria. This should also be prevented.
Reporter | ||
Comment 11•22 years ago
|
||
Comment on attachment 92144 [details] [diff] [review] Patch v.1 In the meantime, this is a good start. r=myk
Attachment #92144 -
Flags: review+
Assignee | ||
Comment 12•22 years ago
|
||
We can go some way towards that by doing an s/[^&\?]*=&//g; - i.e. cut out every param of the form &foo_param=&bar=&baz... But that really doesn't cut it because there are a lot of params with default values which nevertheless don't restrict the search. Perhaps we need a URL-optimising function; that would be useful in other situations too. Myk: does this need a second review? Is it right that the default now is not, unless the reviewer specifically says it needs one? Gerv
Reporter | ||
Comment 13•22 years ago
|
||
Comment on attachment 92144 [details] [diff] [review] Patch v.1 Yes, that's right, only one review is required by default for 2.18 bugs unless otherwise indicated by the first reviewer. However, I took another look at the patch and have some nits... >Index: buglist.cgi >@@ -61,6 +61,17 @@ >+ $vars->{'message'} = "This script is not meant for invoking without any >+ parameters. Please search using the search form."; "for invoking" -> "to be invoked" "parameters" -> "search criteria", "search terms", or "search conditions" "Please search" -> "Please specify some search criteria" >+ print "Refresh: 0; URL=query.cgi\n"; We should give them some time to read the message. I suggest refreshing after 10 seconds but providing a link for them to go to the search page more quickly via the "url" and "link" parameters to message.html.tmpl.
Assignee | ||
Comment 14•22 years ago
|
||
Patch that I checked in, with myk's changes made. Gerv
Attachment #92144 -
Attachment is obsolete: true
Assignee | ||
Comment 15•22 years ago
|
||
Fixed. Checking in buglist.cgi; /cvsroot/mozilla/webtools/bugzilla/buglist.cgi,v <-- buglist.cgi new revision: 1.182; previous revision: 1.181 done Gerv
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Comment 16•22 years ago
|
||
Myk, I don't think we need to prevent returning all bugs. Smaller installations could find this quite useful. I think the accidental case fixed here is the real killer. Deliberate attacks are certainly an issue, but I think a better solution is a bmo hack or a limit to the number of results that can get returned.
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•