[Rt-commit] rt branch, 4.2/escape-underscore, created. rt-4.2.4-98-g2fc8fda
Alex Vandiver
alexmv at bestpractical.com
Wed Mar 4 16:05:59 EST 2015
The branch, 4.2/escape-underscore has been created
at 2fc8fdad6ef0dc6ca075e409c054cc8fc18ada60 (commit)
- Log -----------------------------------------------------------------
commit 2fc8fdad6ef0dc6ca075e409c054cc8fc18ada60
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Tue Jun 10 15:35:40 2014 -0400
Derived values need to be escaped before being used in LIKE
Consider the case of an Organization that was changed from "foo corp" to
"foo_corp". The validator looks for things that are LIKE
"fsck.com-rt://%" and are NOT LIKE the current LocalURIPrefix, which
contains the Origanization. As _ is a special character in LIKE
(matching any one character) the validator will not detect the old
invalid "fsck.com-rt://foo corp/..." entries, as they are indeed LIKE
"fsck.com-rt://foo_corp/%"
Explicitly escape all ocurrences of schema and prefix, in case they
contain % or _ characters.
diff --git a/sbin/rt-validator.in b/sbin/rt-validator.in
index e60328d..2d110d7 100644
--- a/sbin/rt-validator.in
+++ b/sbin/rt-validator.in
@@ -944,7 +944,7 @@ push @CHECKS, 'Links: wrong organization' => sub {
my $query = "SELECT id, $column FROM $table WHERE"
. " $column LIKE ? AND $column NOT LIKE ?";
- my @binds = ($scheme ."://%", $prefix ."%");
+ my @binds = (sql_escape_like($scheme) ."://%", sql_escape_like($prefix) ."%");
while ( my ($k, $v) = each %{ $use->{'Additional'} || {} } ) {
$query .= " AND $k = ?";
@@ -969,7 +969,7 @@ push @CHECKS, 'Links: wrong organization' => sub {
my $wrong_prefix = $scheme . '://'. $wrong_org;
my $query = "UPDATE $table SET $column = ". sql_concat('?', "SUBSTR($column, ?)")
." WHERE $column LIKE ?";
- execute_query( $query, $prefix, length($wrong_prefix)+1, $wrong_prefix .'/%' );
+ execute_query( $query, $prefix, length($wrong_prefix)+1, sql_escape_like($wrong_prefix) .'/%' );
$redo_check{'Links: wrong organization'} = 1;
$redo_check{'Links: LocalX for non-ticket'} = 1;
@@ -991,7 +991,7 @@ push @CHECKS, 'Links: LocalX for non-ticket' => sub {
# we look only at links with correct organization, previouse check deals
# with incorrect orgs
my $where = "Local$dir > 0 AND $dir LIKE ? AND $dir NOT LIKE ?";
- my @binds = ($prefix ."/%", $prefix ."/ticket/%");
+ my @binds = (sql_escape_like($prefix) ."/%", sql_escape_like($prefix) ."/ticket/%");
my $sth = execute_query( "SELECT id FROM $table WHERE $where", @binds );
while ( my ($id, $value) = $sth->fetchrow_array ) {
@@ -1027,7 +1027,7 @@ push @CHECKS, 'Links: LocalX != X' => sub {
# XXX: we have issue with MergedInto links - "LocalX !~ X"
my $where = "Local$dir > 0 AND $dir LIKE ? AND $dir != ". sql_concat('?', "Local$dir")
." AND Type != ?";
- my @binds = ($prefix ."%", $prefix, 'MergedInto');
+ my @binds = (sql_escape_like($prefix) ."%", $prefix, 'MergedInto');
my $sth = execute_query( "SELECT id FROM $table WHERE $where", @binds );
while ( my ($id, $value) = $sth->fetchrow_array ) {
@@ -1082,7 +1082,7 @@ push @CHECKS, 'Links: missing object' => sub {
my $query = "SELECT s.id FROM $stable s LEFT JOIN $ttable t "
." ON t.id = ". sql_str2int("SUBSTR(s.$scolumn, ?)")
." WHERE s.$scolumn LIKE ? AND t.id IS NULL";
- my @binds = (length($tprefix) + 1, $tprefix.'%');
+ my @binds = (length($tprefix) + 1, sql_escape_like($tprefix).'%');
while ( my ($k, $v) = each %{ $use->{'Additional'} || {} } ) {
$query .= " AND s.$k = ?";
@@ -1330,6 +1330,12 @@ sub sql_str2int {
return $_[0];
}
+sub sql_escape_like {
+ my ($string) = @_;
+ $string =~ s/([%_\\])/\\$1/g;
+ return $string;
+}
+
{ my %cached_answer;
sub prompt {
my $action = shift;
-----------------------------------------------------------------------
More information about the rt-commit
mailing list