From owner-freebsd-www@FreeBSD.ORG  Sun Oct  8 10:50:23 2006
Return-Path: <owner-freebsd-www@FreeBSD.ORG>
X-Original-To: freebsd-www@hub.freebsd.org
Delivered-To: freebsd-www@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 85CE116A412
	for <freebsd-www@hub.freebsd.org>; Sun,  8 Oct 2006 10:50:23 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0D4E443D49
	for <freebsd-www@hub.freebsd.org>; Sun,  8 Oct 2006 10:50:23 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k98AoMKm005097
	for <freebsd-www@freefall.freebsd.org>; Sun, 8 Oct 2006 10:50:22 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k98AoM5p005095;
	Sun, 8 Oct 2006 10:50:22 GMT (envelope-from gnats)
Date: Sun, 8 Oct 2006 10:50:22 GMT
Message-Id: <200610081050.k98AoM5p005095@freefall.freebsd.org>
To: freebsd-www@FreeBSD.org
From: Ceri Davies <ceri@submonkey.net>
Cc: 
Subject: Re: www/104131: it's impossible to search for 'category/port' using
	PR web interface
	(http://www.freebsd.org/cgi/query-pr-summary.cgi?query) fails with
X-BeenThere: freebsd-www@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Ceri Davies <ceri@submonkey.net>
List-Id: FreeBSD Project Webmasters <freebsd-www.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-www>,
	<mailto:freebsd-www-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-www>
List-Post: <mailto:freebsd-www@freebsd.org>
List-Help: <mailto:freebsd-www-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-www>,
	<mailto:freebsd-www-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Oct 2006 10:50:23 -0000

The following reply was made to PR www/104131; it has been noted by GNATS.

From: Ceri Davies <ceri@submonkey.net>
To: FreeBSD Gnats Submit <freebsd-gnats-submit@FreeBSD.org>
Cc:  
Subject: Re: www/104131: it's impossible to search for 'category/port' using PR web interface (http://www.freebsd.org/cgi/query-pr-summary.cgi?query) fails with
Date: Sun, 8 Oct 2006 11:45:24 +0100

 On Sat, Oct 07, 2006 at 07:48:30PM +0000, trasz wrote:
 
 > It's impossible to search for PRs for, say, editors/vim port, by putting 'editors/vim'
 > into 'Text in single-line fields:' field.  It complains about invalid characters in filter
 > and returns all the PRs in the database.
 
 Here's the patch.  I don't see how it could cause a problem, but simon
 will probably want to look at it.
 
 Ceri
 
 Index: query-pr-summary.cgi
 ===================================================================
 RCS file: /home/dcvs/www/en/cgi/query-pr-summary.cgi,v
 retrieving revision 1.56
 diff -u -r1.56 query-pr-summary.cgi
 --- query-pr-summary.cgi	24 Sep 2006 13:34:55 -0000	1.56
 +++ query-pr-summary.cgi	8 Oct 2006 10:43:55 -0000
 @@ -276,14 +276,14 @@
  		# Check if the arguments provided by user are secure.
  		# This is required to be able to run this script in
  		# taint mode (perl -T)
 -		if ($input{$_} =~ /^([-^'\[\]\@\s\w.]+)$/) {
 +		if ($input{$_} =~ /^([-^'\/\[\]\@\s\w.]+)$/) {
  			$d = $1;
  			$d =~ s/^"(.*)"$/$&/;
  			$d =~ s/'/\\'/;
  			$query_args .= " --${_}='$d'";
  		} else {
  			print "Insecure data in ${_}! Ignoring this filter.<br />".
 -			      "Only alphanumeric characters and ', -, [, ], ^, @ are allowed.";
 +			      "Only alphanumeric characters and ', /,-, [, ], ^, @ are allowed.";
  		}
  	}
  }