www/104131: it's impossible to search for 'category/port' using
PR web interface
(http://www.freebsd.org/cgi/query-pr-summary.cgi?query) fails with
Simon L. Nielsen
simon at FreeBSD.org
Sun Oct 8 09:50:18 PDT 2006
The following reply was made to PR www/104131; it has been noted by GNATS.
From: "Simon L. Nielsen" <simon at FreeBSD.org>
To: Ceri Davies <ceri at submonkey.net>
Cc: freebsd-gnats-submit at FreeBSD.org
Subject: Re: www/104131: it's impossible to search for 'category/port' using PR web interface (http://www.freebsd.org/cgi/query-pr-summary.cgi?query) fails with
Date: Sun, 8 Oct 2006 18:48:42 +0200
--qcHopEYAB45HaUaB
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 2006.10.08 10:50:22 +0000, Ceri Davies wrote:
> The following reply was made to PR www/104131; it has been noted by GNATS.
>=20
> From: Ceri Davies <ceri at submonkey.net>
> To: FreeBSD Gnats Submit <freebsd-gnats-submit at FreeBSD.org>
> Cc: =20
> Subject: Re: www/104131: it's impossible to search for 'category/port' us=
ing PR web interface (http://www.freebsd.org/cgi/query-pr-summary.cgi?query=
) fails with
> Date: Sun, 8 Oct 2006 11:45:24 +0100
>=20
> On Sat, Oct 07, 2006 at 07:48:30PM +0000, trasz wrote:
> =20
> > It's impossible to search for PRs for, say, editors/vim port, by putti=
ng 'editors/vim'
> > into 'Text in single-line fields:' field. It complains about invalid =
characters in filter
> > and returns all the PRs in the database.
> =20
> Here's the patch. I don't see how it could cause a problem, but simon
> will probably want to look at it.
I don't see that causing any problems security wise. There is a minor
nit wrt. a missing space below, but otherwise the patch looks good to
me.
> Index: query-pr-summary.cgi
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
> RCS file: /home/dcvs/www/en/cgi/query-pr-summary.cgi,v
> retrieving revision 1.56
> diff -u -r1.56 query-pr-summary.cgi
> --- query-pr-summary.cgi 24 Sep 2006 13:34:55 -0000 1.56
> +++ query-pr-summary.cgi 8 Oct 2006 10:43:55 -0000
> @@ -276,14 +276,14 @@
> # Check if the arguments provided by user are secure.
> # This is required to be able to run this script in
> # taint mode (perl -T)
> - if ($input{$_} =3D~ /^([-^'\[\]\@\s\w.]+)$/) {
> + if ($input{$_} =3D~ /^([-^'\/\[\]\@\s\w.]+)$/) {
> $d =3D $1;
> $d =3D~ s/^"(.*)"$/$&/;
> $d =3D~ s/'/\\'/;
> $query_args .=3D " --${_}=3D'$d'";
> } else {
> print "Insecure data in ${_}! Ignoring this filter.<br />".
> - "Only alphanumeric characters and ', -, [, ], ^, @ are allowed=
=2E";
> + "Only alphanumeric characters and ', /,-, [, ], ^, @ are allow=
ed.";
Missing: ^ space
> }
> }
> }
--=20
Simon L. Nielsen
--qcHopEYAB45HaUaB
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)
iD8DBQFFKSvqNE7ltJU9KiERAiKsAJ9vrJIJKAbuxnpveX588XKOWmQ1dgCfWdMl
GORHtF5fdQDqCNEL0hawGXU=
=BA+p
-----END PGP SIGNATURE-----
--qcHopEYAB45HaUaB--
More information about the freebsd-www
mailing list