aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlpsolit%gmail.com <>2008-12-03 07:00:43 +0000
committerlpsolit%gmail.com <>2008-12-03 07:00:43 +0000
commit33429813a654f7a93a7be40b35e9fb7629d74dab (patch)
tree90414530e55ab4ea692c7d193f38f0e2c9f6653a
parentf21dafef9ba8f687094aa944e93bc229c0491e50 (diff)
downloadbugs-33429813a654f7a93a7be40b35e9fb7629d74dab.tar
bugs-33429813a654f7a93a7be40b35e9fb7629d74dab.tar.gz
bugs-33429813a654f7a93a7be40b35e9fb7629d74dab.tar.bz2
bugs-33429813a654f7a93a7be40b35e9fb7629d74dab.tar.xz
bugs-33429813a654f7a93a7be40b35e9fb7629d74dab.zip
Bug 463688: editusers.cgi no longer lets you search for users using regular expressions - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat r=xiaoou a=LpSolit
-rw-r--r--Bugzilla/DB.pm13
-rw-r--r--Bugzilla/DB/Mysql.pm10
-rw-r--r--Bugzilla/DB/Oracle.pm12
-rw-r--r--Bugzilla/DB/Pg.pm10
-rwxr-xr-xeditusers.cgi21
5 files changed, 38 insertions, 28 deletions
diff --git a/Bugzilla/DB.pm b/Bugzilla/DB.pm
index 03e8e4de3..377f83930 100644
--- a/Bugzilla/DB.pm
+++ b/Bugzilla/DB.pm
@@ -1556,6 +1556,11 @@ Abstract method, should be overridden by database specific code.
=item C<$pattern> - the regular expression to search for (scalar)
+=item C<$nocheck> - true if the pattern should not be tested; false otherwise (boolean)
+
+=item C<$real_pattern> - the real regular expression to search for.
+This argument is used when C<$pattern> is a placeholder ('?').
+
=back
=item B<Returns>
@@ -1578,13 +1583,7 @@ Abstract method, should be overridden by database specific code.
=item B<Params>
-=over
-
-=item C<$expr> - SQL expression for the text to be searched (scalar)
-
-=item C<$pattern> - the regular expression to search for (scalar)
-
-=back
+Same as L</sql_regexp>.
=item B<Returns>
diff --git a/Bugzilla/DB/Mysql.pm b/Bugzilla/DB/Mysql.pm
index 92263af9d..c9a80a93d 100644
--- a/Bugzilla/DB/Mysql.pm
+++ b/Bugzilla/DB/Mysql.pm
@@ -136,17 +136,19 @@ sub sql_group_concat {
}
sub sql_regexp {
- my ($self, $expr, $pattern, $nocheck) = @_;
+ my ($self, $expr, $pattern, $nocheck, $real_pattern) = @_;
+ $real_pattern ||= $pattern;
- $self->bz_check_regexp($pattern) if !$nocheck;
+ $self->bz_check_regexp($real_pattern) if !$nocheck;
return "$expr REGEXP $pattern";
}
sub sql_not_regexp {
- my ($self, $expr, $pattern, $nocheck) = @_;
+ my ($self, $expr, $pattern, $nocheck, $real_pattern) = @_;
+ $real_pattern ||= $pattern;
- $self->bz_check_regexp($pattern) if !$nocheck;
+ $self->bz_check_regexp($real_pattern) if !$nocheck;
return "$expr NOT REGEXP $pattern";
}
diff --git a/Bugzilla/DB/Oracle.pm b/Bugzilla/DB/Oracle.pm
index 854b72a43..833fce635 100644
--- a/Bugzilla/DB/Oracle.pm
+++ b/Bugzilla/DB/Oracle.pm
@@ -99,7 +99,7 @@ sub bz_check_regexp {
my ($self, $pattern) = @_;
eval { $self->do("SELECT 1 FROM DUAL WHERE "
- . $self->sql_regexp($self->quote("a"), $self->quote($pattern), 1)) };
+ . $self->sql_regexp($self->quote("a"), $pattern, 1)) };
$@ && ThrowUserError('illegal_regexp',
{ value => $pattern, dberror => $self->errstr });
@@ -115,17 +115,19 @@ sub bz_explain {
}
sub sql_regexp {
- my ($self, $expr, $pattern, $nocheck) = @_;
+ my ($self, $expr, $pattern, $nocheck, $real_pattern) = @_;
+ $real_pattern ||= $pattern;
- $self->bz_check_regexp($pattern) if !$nocheck;
+ $self->bz_check_regexp($real_pattern) if !$nocheck;
return "REGEXP_LIKE($expr, $pattern)";
}
sub sql_not_regexp {
- my ($self, $expr, $pattern, $nocheck) = @_;
+ my ($self, $expr, $pattern, $nocheck, $real_pattern) = @_;
+ $real_pattern ||= $pattern;
- $self->bz_check_regexp($pattern) if !$nocheck;
+ $self->bz_check_regexp($real_pattern) if !$nocheck;
return "NOT REGEXP_LIKE($expr, $pattern)"
}
diff --git a/Bugzilla/DB/Pg.pm b/Bugzilla/DB/Pg.pm
index d06decaa3..66ad4b1ec 100644
--- a/Bugzilla/DB/Pg.pm
+++ b/Bugzilla/DB/Pg.pm
@@ -93,17 +93,19 @@ sub bz_last_key {
}
sub sql_regexp {
- my ($self, $expr, $pattern, $nocheck) = @_;
+ my ($self, $expr, $pattern, $nocheck, $real_pattern) = @_;
+ $real_pattern ||= $pattern;
- $self->bz_check_regexp($pattern) if !$nocheck;
+ $self->bz_check_regexp($real_pattern) if !$nocheck;
return "$expr ~* $pattern";
}
sub sql_not_regexp {
- my ($self, $expr, $pattern, $nocheck) = @_;
+ my ($self, $expr, $pattern, $nocheck, $real_pattern) = @_;
+ $real_pattern ||= $pattern;
- $self->bz_check_regexp($pattern) if !$nocheck;
+ $self->bz_check_regexp($real_pattern) if !$nocheck;
return "$expr !~* $pattern"
}
diff --git a/editusers.cgi b/editusers.cgi
index 23adb6eb7..6dac96788 100755
--- a/editusers.cgi
+++ b/editusers.cgi
@@ -136,23 +136,28 @@ if ($action eq 'search') {
} else {
$expr = "profiles.login_name";
}
+
+ if ($matchstr =~ /^(regexp|notregexp|exact)$/) {
+ $matchstr ||= '.';
+ }
+ else {
+ $matchstr = '' unless defined $matchstr;
+ }
+ # We can trick_taint because we use the value in a SELECT only,
+ # using a placeholder.
+ trick_taint($matchstr);
+
if ($matchtype eq 'regexp') {
- $query .= $dbh->sql_regexp($expr, '?');
- $matchstr = '.' unless $matchstr;
+ $query .= $dbh->sql_regexp($expr, '?', 0, $dbh->quote($matchstr));
} elsif ($matchtype eq 'notregexp') {
- $query .= $dbh->sql_not_regexp($expr, '?');
- $matchstr = '.' unless $matchstr;
+ $query .= $dbh->sql_not_regexp($expr, '?', 0, $dbh->quote($matchstr));
} elsif ($matchtype eq 'exact') {
$query .= $expr . ' = ?';
- $matchstr = '.' unless $matchstr;
} else { # substr or unknown
$query .= $dbh->sql_istrcmp($expr, '?', 'LIKE');
$matchstr = "%$matchstr%";
}
$nextCondition = 'AND';
- # We can trick_taint because we use the value in a SELECT only,
- # using a placeholder.
- trick_taint($matchstr);
push(@bindValues, $matchstr);
}