diff options
-rw-r--r-- | Bugzilla/DB.pm | 13 | ||||
-rw-r--r-- | Bugzilla/DB/Mysql.pm | 10 | ||||
-rw-r--r-- | Bugzilla/DB/Oracle.pm | 12 | ||||
-rw-r--r-- | Bugzilla/DB/Pg.pm | 10 | ||||
-rwxr-xr-x | editusers.cgi | 21 |
5 files changed, 38 insertions, 28 deletions
diff --git a/Bugzilla/DB.pm b/Bugzilla/DB.pm index 03e8e4de3..377f83930 100644 --- a/Bugzilla/DB.pm +++ b/Bugzilla/DB.pm @@ -1556,6 +1556,11 @@ Abstract method, should be overridden by database specific code. =item C<$pattern> - the regular expression to search for (scalar) +=item C<$nocheck> - true if the pattern should not be tested; false otherwise (boolean) + +=item C<$real_pattern> - the real regular expression to search for. +This argument is used when C<$pattern> is a placeholder ('?'). + =back =item B<Returns> @@ -1578,13 +1583,7 @@ Abstract method, should be overridden by database specific code. =item B<Params> -=over - -=item C<$expr> - SQL expression for the text to be searched (scalar) - -=item C<$pattern> - the regular expression to search for (scalar) - -=back +Same as L</sql_regexp>. =item B<Returns> diff --git a/Bugzilla/DB/Mysql.pm b/Bugzilla/DB/Mysql.pm index 92263af9d..c9a80a93d 100644 --- a/Bugzilla/DB/Mysql.pm +++ b/Bugzilla/DB/Mysql.pm @@ -136,17 +136,19 @@ sub sql_group_concat { } sub sql_regexp { - my ($self, $expr, $pattern, $nocheck) = @_; + my ($self, $expr, $pattern, $nocheck, $real_pattern) = @_; + $real_pattern ||= $pattern; - $self->bz_check_regexp($pattern) if !$nocheck; + $self->bz_check_regexp($real_pattern) if !$nocheck; return "$expr REGEXP $pattern"; } sub sql_not_regexp { - my ($self, $expr, $pattern, $nocheck) = @_; + my ($self, $expr, $pattern, $nocheck, $real_pattern) = @_; + $real_pattern ||= $pattern; - $self->bz_check_regexp($pattern) if !$nocheck; + $self->bz_check_regexp($real_pattern) if !$nocheck; return "$expr NOT REGEXP $pattern"; } diff --git a/Bugzilla/DB/Oracle.pm b/Bugzilla/DB/Oracle.pm index 854b72a43..833fce635 100644 --- a/Bugzilla/DB/Oracle.pm +++ b/Bugzilla/DB/Oracle.pm @@ -99,7 +99,7 @@ sub bz_check_regexp { my ($self, $pattern) = @_; eval { $self->do("SELECT 1 FROM DUAL WHERE " - . $self->sql_regexp($self->quote("a"), $self->quote($pattern), 1)) }; + . $self->sql_regexp($self->quote("a"), $pattern, 1)) }; $@ && ThrowUserError('illegal_regexp', { value => $pattern, dberror => $self->errstr }); @@ -115,17 +115,19 @@ sub bz_explain { } sub sql_regexp { - my ($self, $expr, $pattern, $nocheck) = @_; + my ($self, $expr, $pattern, $nocheck, $real_pattern) = @_; + $real_pattern ||= $pattern; - $self->bz_check_regexp($pattern) if !$nocheck; + $self->bz_check_regexp($real_pattern) if !$nocheck; return "REGEXP_LIKE($expr, $pattern)"; } sub sql_not_regexp { - my ($self, $expr, $pattern, $nocheck) = @_; + my ($self, $expr, $pattern, $nocheck, $real_pattern) = @_; + $real_pattern ||= $pattern; - $self->bz_check_regexp($pattern) if !$nocheck; + $self->bz_check_regexp($real_pattern) if !$nocheck; return "NOT REGEXP_LIKE($expr, $pattern)" } diff --git a/Bugzilla/DB/Pg.pm b/Bugzilla/DB/Pg.pm index d06decaa3..66ad4b1ec 100644 --- a/Bugzilla/DB/Pg.pm +++ b/Bugzilla/DB/Pg.pm @@ -93,17 +93,19 @@ sub bz_last_key { } sub sql_regexp { - my ($self, $expr, $pattern, $nocheck) = @_; + my ($self, $expr, $pattern, $nocheck, $real_pattern) = @_; + $real_pattern ||= $pattern; - $self->bz_check_regexp($pattern) if !$nocheck; + $self->bz_check_regexp($real_pattern) if !$nocheck; return "$expr ~* $pattern"; } sub sql_not_regexp { - my ($self, $expr, $pattern, $nocheck) = @_; + my ($self, $expr, $pattern, $nocheck, $real_pattern) = @_; + $real_pattern ||= $pattern; - $self->bz_check_regexp($pattern) if !$nocheck; + $self->bz_check_regexp($real_pattern) if !$nocheck; return "$expr !~* $pattern" } diff --git a/editusers.cgi b/editusers.cgi index 23adb6eb7..6dac96788 100755 --- a/editusers.cgi +++ b/editusers.cgi @@ -136,23 +136,28 @@ if ($action eq 'search') { } else { $expr = "profiles.login_name"; } + + if ($matchstr =~ /^(regexp|notregexp|exact)$/) { + $matchstr ||= '.'; + } + else { + $matchstr = '' unless defined $matchstr; + } + # We can trick_taint because we use the value in a SELECT only, + # using a placeholder. + trick_taint($matchstr); + if ($matchtype eq 'regexp') { - $query .= $dbh->sql_regexp($expr, '?'); - $matchstr = '.' unless $matchstr; + $query .= $dbh->sql_regexp($expr, '?', 0, $dbh->quote($matchstr)); } elsif ($matchtype eq 'notregexp') { - $query .= $dbh->sql_not_regexp($expr, '?'); - $matchstr = '.' unless $matchstr; + $query .= $dbh->sql_not_regexp($expr, '?', 0, $dbh->quote($matchstr)); } elsif ($matchtype eq 'exact') { $query .= $expr . ' = ?'; - $matchstr = '.' unless $matchstr; } else { # substr or unknown $query .= $dbh->sql_istrcmp($expr, '?', 'LIKE'); $matchstr = "%$matchstr%"; } $nextCondition = 'AND'; - # We can trick_taint because we use the value in a SELECT only, - # using a placeholder. - trick_taint($matchstr); push(@bindValues, $matchstr); } |