From c9aaffd4541554af069e4ac097c39f567b02f55a Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Sat, 26 Nov 2011 01:08:58 +0100 Subject: Bug 255606: Do not let buglist.cgi return all bugs by default r/a=mkanat --- Bugzilla/Config.pm | 5 +++++ Bugzilla/Config/Query.pm | 2 +- Bugzilla/Search.pm | 5 +++++ buglist.cgi | 2 +- collectstats.pl | 1 + template/en/default/admin/params/query.html.tmpl | 11 ++++++++--- template/en/default/global/messages.html.tmpl | 4 ++++ template/en/default/search/search-specific.html.tmpl | 2 +- whine.pl | 10 +++++++++- 9 files changed, 35 insertions(+), 7 deletions(-) diff --git a/Bugzilla/Config.pm b/Bugzilla/Config.pm index c247a072a..990fd8dd2 100644 --- a/Bugzilla/Config.pm +++ b/Bugzilla/Config.pm @@ -193,6 +193,11 @@ sub update_params { $new_params{'ssl_redirect'} = 1; } + # "specific_search_allow_empty_words" has been renamed to "search_allow_no_criteria". + if (exists $param->{'specific_search_allow_empty_words'}) { + $new_params{'search_allow_no_criteria'} = $param->{'specific_search_allow_empty_words'}; + } + # --- DEFAULTS FOR NEW PARAMS --- _load_params unless %params; diff --git a/Bugzilla/Config/Query.pm b/Bugzilla/Config/Query.pm index 17a74998e..4038c13ef 100644 --- a/Bugzilla/Config/Query.pm +++ b/Bugzilla/Config/Query.pm @@ -68,7 +68,7 @@ sub get_param_list { }, { - name => 'specific_search_allow_empty_words', + name => 'search_allow_no_criteria', type => 'b', default => 1 }, diff --git a/Bugzilla/Search.pm b/Bugzilla/Search.pm index d47e0ae99..6bbf4ab42 100644 --- a/Bugzilla/Search.pm +++ b/Bugzilla/Search.pm @@ -1168,6 +1168,11 @@ sub _sql_where { if ($clause_sql) { $where .= "\n AND " . $clause_sql; } + elsif (!Bugzilla->params->{'search_allow_no_criteria'} + && !$self->{allow_unlimited}) + { + ThrowUserError('buglist_parameters_required'); + } return $where; } diff --git a/buglist.cgi b/buglist.cgi index e928af905..df421171d 100755 --- a/buglist.cgi +++ b/buglist.cgi @@ -82,7 +82,7 @@ if (defined($searchstring)) { # If configured to not allow empty words, reject empty searches from the # Find a Specific Bug search form, including words being a single or # several consecutive whitespaces only. -if (!Bugzilla->params->{'specific_search_allow_empty_words'} +if (!Bugzilla->params->{'search_allow_no_criteria'} && defined($cgi->param('content')) && $cgi->param('content') =~ /^\s*$/) { ThrowUserError("buglist_parameters_required"); diff --git a/collectstats.pl b/collectstats.pl index 26bead6ab..007669fad 100755 --- a/collectstats.pl +++ b/collectstats.pl @@ -507,6 +507,7 @@ sub CollectSeriesData { eval { my $search = new Bugzilla::Search('params' => scalar $cgi->Vars, 'fields' => ["bug_id"], + 'allow_unlimited' => 1, 'user' => $user); my $sql = $search->sql; $data = $shadow_dbh->selectall_arrayref($sql); diff --git a/template/en/default/admin/params/query.html.tmpl b/template/en/default/admin/params/query.html.tmpl index d8f5f0c42..255c75a6b 100644 --- a/template/en/default/admin/params/query.html.tmpl +++ b/template/en/default/admin/params/query.html.tmpl @@ -51,9 +51,14 @@ "access the advanced query page. It's in URL parameter " _ "format, which makes it hard to read. Sorry!", - specific_search_allow_empty_words => - "Whether to allow a search on the 'Simple Search' page with an empty" - _ " 'Words' field.", + search_allow_no_criteria => + "Unless the code explicitly allows all $terms.bugs to be returned, this " _ + "parameter permits to block the execution of queries with no criteria. " _ + "When turned off, a query must have some criteria specified to limit " _ + "the number of $terms.bugs returned to the user. When turned on, a user " _ + "is allowed to run a query with no criteria and get all $terms.bugs he can " _ + "see in his list. Turning this parameter on is not recommended on large " _ + "installations.", default_search_limit => "By default, $terms.Bugzilla limits searches done in the web" diff --git a/template/en/default/global/messages.html.tmpl b/template/en/default/global/messages.html.tmpl index a550273db..f5746ba08 100644 --- a/template/en/default/global/messages.html.tmpl +++ b/template/en/default/global/messages.html.tmpl @@ -920,6 +920,10 @@ No changes made to version [% version.name FILTER html %]. [% END %] + [% ELSIF message_tag == "whine_query_failed" %] + The query '[% query_name FILTER html %]' from [% author.login FILTER html %] + failed: [% reason FILTER html %] + [% ELSIF message_tag == "workflow_updated" %] The workflow has been updated. [% END %] diff --git a/template/en/default/search/search-specific.html.tmpl b/template/en/default/search/search-specific.html.tmpl index f79d9bb4f..32649c348 100644 --- a/template/en/default/search/search-specific.html.tmpl +++ b/template/en/default/search/search-specific.html.tmpl @@ -108,7 +108,7 @@ for "crash secure SSL flash". - [% IF Param('specific_search_allow_empty_words') %] + [% IF Param('search_allow_no_criteria') %] [% ELSE %] scalar $searchparams->Vars, 'user' => $args->{'recipient'}, # the search runs as the recipient ); - my $sqlquery = $search->sql; + # If a query fails for whatever reason, it shouldn't kill the script. + my $sqlquery = eval { $search->sql }; + if ($@) { + say get_text('whine_query_failed', { query_name => $thisquery->{'name'}, + author => $args->{'author'}, + reason => $@ }); + next; + } + $sth = $dbh->prepare($sqlquery); $sth->execute; -- cgit v1.2.3-24-g4f1b