[Trac-tickets] [The Trac Project] #2759: Search query is too simplistic

The Trac Project noreply at edgewall.com
Mon Feb 13 14:23:38 CST 2006 

#2759: Search query is too simplistic
----------------------------------------------------+-----------------------
 Reporter:  Andres Salomon <dilinger at athenacr.com>  |       Owner:  jonas
     Type:  defect                                  |      Status:  new  
 Priority:  normal                                  |   Milestone:  0.10 
Component:  search system                           |     Version:  none 
 Severity:  major                                   |    Keywords:       
----------------------------------------------------+-----------------------
 Hi,

 While looking through Trac's Search stuff in trunk, I've noticed that the
 search logic is far too easily fooled (some requires malicious intent,
 some does not.  Here are some examples (I have quoted what I actually
 searched for; that does not mean I used quotes in the text input field
 unless there are quotes inside the string):

 1) searching for "'core feature'" returns 1 result (not highlighted)
 2) " 'core feature'" returns 0 results; the problem is the query_to_sql()
 function only matches quotes at the beginning or end of the query.  If
 someone wants to do a moderately complex search (ie, "foo 'bar baz'"),
 they will not get the results they expect.
 3) ""core feature"" returns 1 result, and replaces the " with &#34; in the
 text input field.
 4) "&#34;core feature&#34;" (which is what the text input window contains
 after searching for ""core feature"") returns 0 results
 5) "a" fails the 'too short' test.
 6) "%a%" happily returns every result in the database.
 7) "_a_" also will return every result in the database.
 8) ditto for "'a'"
 9) "\%a" doesn't actually tell me how many results it finds (i assume the
 sql query it's running is invalid, but I'm not sure how to turn on query
 logging in sqlite).  It returns 4 wiki pages, however.

 These are all done on a fresh, default Trac install (r2894).  #9 is
 worrisome, as if there is unquoted sql making its way into the database,
 that's a security risk.  I will follow up shortly w/ a patch to rework
 this search stuff.

-- 
Ticket URL: <http://projects.edgewall.com/trac/ticket/2759>
The Trac Project <http://trac.edgewall.com/>

More information about the Trac-Tickets mailing list