[Rt-commit] rt branch, 4.0/ticketsql-quoting, created. rt-4.0.2-119-g117bae9

Alex Vandiver alexmv at bestpractical.com
Thu Sep 29 13:36:13 EDT 2011 

The branch, 4.0/ticketsql-quoting has been created
        at  117bae99d9eb98ff635064280bd2db8992971797 (commit)

- Log -----------------------------------------------------------------
commit 117bae99d9eb98ff635064280bd2db8992971797
Author: Alex Vandiver <alexmv at bestpractical.com>
Date:   Wed Sep 28 18:33:54 2011 -0400

    TicketSQL should always escape both quotes and backslashes in values
    
    This fixes the search link for quicksearch queue name containing
    backslashes, as well as a bug where repeatedly pressing "Add this term"
    in the query builder would half the number of backslashes in each term's
    value.

diff --git a/lib/RT/Interface/Web/QueryBuilder/Tree.pm b/lib/RT/Interface/Web/QueryBuilder/Tree.pm
index 860485e..034e9f2 100644
--- a/lib/RT/Interface/Web/QueryBuilder/Tree.pm
+++ b/lib/RT/Interface/Web/QueryBuilder/Tree.pm
@@ -268,10 +268,10 @@ sub ParseSQL {
             push @results, [ $args{'CurrentUser'}->loc("Unknown field: [_1]", $key), -1 ]
         }
 
-        $value =~ s/'/\\'/g;
         if ( lc $op eq 'is' || lc $op eq 'is not' ) {
             $value = 'NULL'; # just fix possible mistakes here
         } elsif ( $value !~ /^[+-]?[0-9]+$/ ) {
+            $value =~ s/(['\\])/\\$1/g;
             $value = "'$value'";
         }
         $key = "'$key'" if $key =~ /^CF./;
diff --git a/share/html/Elements/QueueSummaryByLifecycle b/share/html/Elements/QueueSummaryByLifecycle
index 7e95bcb..42cc914 100644
--- a/share/html/Elements/QueueSummaryByLifecycle
+++ b/share/html/Elements/QueueSummaryByLifecycle
@@ -67,7 +67,7 @@ for my $queue (@queues) {
 
     $i++;
     my $name = $queue->{Name};
-    $name =~ s/'/\\'/g;
+    $name =~ s/(['\\])/\\$1/g;
     my $queue_cond = "Queue = '$name' AND ";
     my $all_q = $queue_cond . '(' . join( " OR ", map "Status = '$_'", @cur_statuses ) . ')';
 </%PERL>
diff --git a/share/html/Elements/QueueSummaryByStatus b/share/html/Elements/QueueSummaryByStatus
index 302b985..e1e01ea 100644
--- a/share/html/Elements/QueueSummaryByStatus
+++ b/share/html/Elements/QueueSummaryByStatus
@@ -59,7 +59,7 @@ my $i = 0;
 for my $queue (@queues) {
     $i++;
     my $name = $queue->{Name};
-    $name =~ s/'/\\'/g;
+    $name =~ s/(['\\])/\\$1/g;
     my $queue_cond = "Queue = '$name' AND ";
     my $lifecycle = $lifecycle{ lc $queue->{'Lifecycle'} };
     my $all_q = $queue_cond . '(' . join( " OR ", map "Status = '$_'", grep $lifecycle->IsValid($_), @statuses ) . ')';
diff --git a/share/html/Search/Build.html b/share/html/Search/Build.html
index e23eb5a..e5e1002 100644
--- a/share/html/Search/Build.html
+++ b/share/html/Search/Build.html
@@ -229,9 +229,9 @@ foreach my $arg ( keys %ARGS ) {
                 $op = "IS NOT";
             }
         }
-        else {
-            $value =~ s/'/\\'/g;
-            $value = "'$value'" unless $value =~ /^\d+$/;
+        elsif ($value =~ /\D/) {
+            $value =~ s/(['\\])/\\$1/g;
+            $value = "'$value'";
         }
 
         my $clause = {

-----------------------------------------------------------------------

More information about the Rt-commit mailing list