Closed Bug 997281 Opened 7 years ago Closed 7 years ago

New QuickSearch operators can short-circuit each other depending on which ones are tested first

Categories

(Bugzilla :: Query/Bug List, defect)

4.5.2
defect
Not set
normal

Tracking

()

RESOLVED FIXED
Bugzilla 5.0

People

(Reporter: LpSolit, Assigned: LpSolit)

References

()

Details

Attachments

(1 file)

When testing votes<=2 in the QuickSearch field, I get random results on each call:

1) most of the time, I get: There is a problem with your search: votes< is not a valid field name.
2) sometimes, I get: Votes: (is less than) =2
3) sometimes, I get: Votes: (is less than or equal to) 2

3) is the expected behavior. 1) and 2) indicate bad parsing.

The reason of this random behavior is that Perl 5.18 introduced real randomization when playing with hashes, see http://search.cpan.org/~rjbs/perl-5.18.0/pod/perldelta.pod#Hash_randomization

"Hash randomization

The seed used by Perl's hash function is now random. This means that the order which keys/values will be returned from functions like keys(), values(), and each() will differ from run to run.

This change was introduced to make Perl's hashes more robust to algorithmic complexity attacks, and also because we discovered that it exposes hash ordering dependency bugs and makes them easier to track down."

In Bugzilla::Search::Quicksearch::_handle_field_names(), testing the <, > or = operators before <=, >= or != short-circuits the latter, making Bugzilla to incorrectly parse strings and report them as invalid fields (or values). To work around this problem, longer operators should be tested first.
Attached patch patch, v1Splinter Review
Assignee: query-and-buglist → LpSolit
Status: NEW → ASSIGNED
Attachment #8407643 - Flags: review?(justdave)
Attachment #8407643 - Flags: review?(justdave) → review+
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git
   060fa90..23bad39  master -> master
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.