FS#26527 - Searching for % returns all packages

Attached to Project: AUR web interface
Opened by Dan McGee (toofishes) - Wednesday, 19 October 2011, 17:36 GMT
Last edited by Lukas Fleischer (lfleischer) - Friday, 09 March 2012, 08:54 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To Lukas Fleischer (lfleischer)
Architecture All
Severity Medium
Priority Normal
Reported Version 1.9.0
Due in Version 1.9.1
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Looks like we aren't fully escaping what we need to here...

https://aur.archlinux.org/packages.php?O=0&K=%25%25%25%25%25&do_Search=Go
This task depends upon

Closed by  Lukas Fleischer (lfleischer)
Friday, 09 March 2012, 08:54 GMT
Reason for closing:  Fixed
Additional comments about closing:  Fixed in 1.9.1.
Comment by Dan McGee (toofishes) - Wednesday, 19 October 2011, 17:38 GMT
Looks like both the '%' and '_' SQL wildcards need some special treatment when we use them in this fashion. This means anywhere we are escaping strings someone might be passing a '%' through, and I don't even want to think of what that could do on the username side of things if we aren't doing it right...
Comment by Lukas Fleischer (lfleischer) - Thursday, 20 October 2011, 06:04 GMT
Oh. I fixed this for RPC queries some time ago [1] and I can't really explain why I didn't check for other places to patch. Maybe we should write a convenience function to be used when we need to escape a "LIKE" parameter and use that everywhere. I'll look into that, thanks!

[1] http://projects.archlinux.org/aur.git/commit/?id=da2ebb667b7a332ddd8d905bf9b9a8694765fed6
Comment by Lukas Fleischer (lfleischer) - Thursday, 20 October 2011, 06:54 GMT
I submitted a patch to aur-dev [1].

[1] http://mailman.archlinux.org/pipermail/aur-dev/2011-October/001881.html
Comment by Lukas Fleischer (lfleischer) - Tuesday, 25 October 2011, 07:36 GMT
  • Field changed: Due in Version (Undecided → 1.9.1)
Cherry-picked that commit onto maint [1].

[1] http://projects.archlinux.org/aur.git/commit/?h=maint&id=e53b91fe52be262d94a45769814c1e87c796988b

Loading...