Date: Sun, 8 Oct 2006 16:50:17 GMT From: "Simon L. Nielsen" <simon@FreeBSD.org> To: freebsd-www@FreeBSD.org Subject: Re: www/104131: it's impossible to search for 'category/port' using PR web interface (http://www.freebsd.org/cgi/query-pr-summary.cgi?query) fails with Message-ID: <200610081650.k98GoHpF051732@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR www/104131; it has been noted by GNATS. From: "Simon L. Nielsen" <simon@FreeBSD.org> To: Ceri Davies <ceri@submonkey.net> Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: www/104131: it's impossible to search for 'category/port' using PR web interface (http://www.freebsd.org/cgi/query-pr-summary.cgi?query) fails with Date: Sun, 8 Oct 2006 18:48:42 +0200 --qcHopEYAB45HaUaB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2006.10.08 10:50:22 +0000, Ceri Davies wrote: > The following reply was made to PR www/104131; it has been noted by GNATS. >=20 > From: Ceri Davies <ceri@submonkey.net> > To: FreeBSD Gnats Submit <freebsd-gnats-submit@FreeBSD.org> > Cc: =20 > Subject: Re: www/104131: it's impossible to search for 'category/port' us= ing PR web interface (http://www.freebsd.org/cgi/query-pr-summary.cgi?query= ) fails with > Date: Sun, 8 Oct 2006 11:45:24 +0100 >=20 > On Sat, Oct 07, 2006 at 07:48:30PM +0000, trasz wrote: > =20 > > It's impossible to search for PRs for, say, editors/vim port, by putti= ng 'editors/vim' > > into 'Text in single-line fields:' field. It complains about invalid = characters in filter > > and returns all the PRs in the database. > =20 > Here's the patch. I don't see how it could cause a problem, but simon > will probably want to look at it. I don't see that causing any problems security wise. There is a minor nit wrt. a missing space below, but otherwise the patch looks good to me. > Index: query-pr-summary.cgi > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > RCS file: /home/dcvs/www/en/cgi/query-pr-summary.cgi,v > retrieving revision 1.56 > diff -u -r1.56 query-pr-summary.cgi > --- query-pr-summary.cgi 24 Sep 2006 13:34:55 -0000 1.56 > +++ query-pr-summary.cgi 8 Oct 2006 10:43:55 -0000 > @@ -276,14 +276,14 @@ > # Check if the arguments provided by user are secure. > # This is required to be able to run this script in > # taint mode (perl -T) > - if ($input{$_} =3D~ /^([-^'\[\]\@\s\w.]+)$/) { > + if ($input{$_} =3D~ /^([-^'\/\[\]\@\s\w.]+)$/) { > $d =3D $1; > $d =3D~ s/^"(.*)"$/$&/; > $d =3D~ s/'/\\'/; > $query_args .=3D " --${_}=3D'$d'"; > } else { > print "Insecure data in ${_}! Ignoring this filter.<br />". > - "Only alphanumeric characters and ', -, [, ], ^, @ are allowed= =2E"; > + "Only alphanumeric characters and ', /,-, [, ], ^, @ are allow= ed."; Missing: ^ space > } > } > } --=20 Simon L. Nielsen --qcHopEYAB45HaUaB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFKSvqNE7ltJU9KiERAiKsAJ9vrJIJKAbuxnpveX588XKOWmQ1dgCfWdMl GORHtF5fdQDqCNEL0hawGXU= =BA+p -----END PGP SIGNATURE----- --qcHopEYAB45HaUaB--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200610081650.k98GoHpF051732>