Skip to content

bugzilla
bugzilla
Commit 9eb55706 authored by lpsolit%gmail.com's avatar lpsolit%gmail.com
Browse files
Options

Bug 300552: Eliminate deprecated Bugzilla::DB routines from Search.pm - Patch by…

Bug 300552: Eliminate deprecated Bugzilla::DB routines from Search.pm - Patch by Olav Vitters <bugzilla-mozilla@bkor.dhs.org> r=LpSolit a=justdave
parent 9ba2fb41
Hide whitespace changes
Inline Side-by-side
Showing with 56 additions and 49 deletions
Bugzilla/Search.pm
View file @ 9eb55706
...@@ -294,9 +294,10 @@ sub init { ...@@ -294,9 +294,10 @@ sub init {
} }
if ($chfieldfrom ne '' || $chfieldto ne '') { if ($chfieldfrom ne '' || $chfieldto ne '') {
my $sql_chfrom = $chfieldfrom ? &::SqlQuote(SqlifyDate($chfieldfrom)):''; my $sql_chfrom = $chfieldfrom ? $dbh->quote(SqlifyDate($chfieldfrom)):'';
my $sql_chto = $chfieldto ? &::SqlQuote(SqlifyDate($chfieldto)) :''; my $sql_chto = $chfieldto ? $dbh->quote(SqlifyDate($chfieldto)) :'';
my $sql_chvalue = $chvalue ne '' ? &::SqlQuote($chvalue) : ''; my $sql_chvalue = $chvalue ne '' ? $dbh->quote($chvalue) : '';
trick_taint($sql_chvalue);
if(!@chfield) { if(!@chfield) {
push(@wherepart, "bugs.delta_ts >= $sql_chfrom") if ($sql_chfrom); push(@wherepart, "bugs.delta_ts >= $sql_chfrom") if ($sql_chfrom);
push(@wherepart, "bugs.delta_ts <= $sql_chto") if ($sql_chto); push(@wherepart, "bugs.delta_ts <= $sql_chto") if ($sql_chto);
...@@ -354,7 +355,8 @@ sub init { ...@@ -354,7 +355,8 @@ sub init {
validate_date($deadlinefrom) validate_date($deadlinefrom)
|| ThrowUserError('illegal_date', {date => $deadlinefrom, || ThrowUserError('illegal_date', {date => $deadlinefrom,
format => 'YYYY-MM-DD'}); format => 'YYYY-MM-DD'});
$sql_deadlinefrom = &::SqlQuote($deadlinefrom); $sql_deadlinefrom = $dbh->quote($deadlinefrom);
trick_taint($sql_deadlinefrom);
push(@wherepart, "bugs.deadline >= $sql_deadlinefrom"); push(@wherepart, "bugs.deadline >= $sql_deadlinefrom");
} }
...@@ -363,7 +365,8 @@ sub init { ...@@ -363,7 +365,8 @@ sub init {
validate_date($deadlineto) validate_date($deadlineto)
|| ThrowUserError('illegal_date', {date => $deadlineto, || ThrowUserError('illegal_date', {date => $deadlineto,
format => 'YYYY-MM-DD'}); format => 'YYYY-MM-DD'});
$sql_deadlineto = &::SqlQuote($deadlineto); $sql_deadlineto = $dbh->quote($deadlineto);
trick_taint($sql_deadlineto);
push(@wherepart, "bugs.deadline <= $sql_deadlineto"); push(@wherepart, "bugs.deadline <= $sql_deadlineto");
} }
} }
...@@ -374,7 +377,8 @@ sub init { ...@@ -374,7 +377,8 @@ sub init {
my $s = trim($params->param($f)); my $s = trim($params->param($f));
if ($s ne "") { if ($s ne "") {
my $n = $f; my $n = $f;
my $q = &::SqlQuote($s); my $q = $dbh->quote($s);
trick_taint($q);
my $type = $params->param($f . "_type"); my $type = $params->param($f . "_type");
push(@specialchart, [$f, $type, $s]); push(@specialchart, [$f, $type, $s]);
} }
...@@ -556,13 +560,13 @@ sub init { ...@@ -556,13 +560,13 @@ sub init {
my $table = "longdescs_$chartid"; my $table = "longdescs_$chartid";
push(@supptables, "INNER JOIN longdescs AS $table " . push(@supptables, "INNER JOIN longdescs AS $table " .
"ON $table.bug_id = bugs.bug_id"); "ON $table.bug_id = bugs.bug_id");
$term = "$table.bug_when < " . &::SqlQuote(SqlifyDate($v)); $term = "$table.bug_when < " . $dbh->quote(SqlifyDate($v));
}, },
"^long_?desc,changedafter" => sub { "^long_?desc,changedafter" => sub {
my $table = "longdescs_$chartid"; my $table = "longdescs_$chartid";
push(@supptables, "INNER JOIN longdescs AS $table " . push(@supptables, "INNER JOIN longdescs AS $table " .
"ON $table.bug_id = bugs.bug_id"); "ON $table.bug_id = bugs.bug_id");
$term = "$table.bug_when > " . &::SqlQuote(SqlifyDate($v)); $term = "$table.bug_when > " . $dbh->quote(SqlifyDate($v));
}, },
"^content,matches" => sub { "^content,matches" => sub {
# "content" is an alias for columns containing text for which we # "content" is an alias for columns containing text for which we
...@@ -629,7 +633,7 @@ sub init { ...@@ -629,7 +633,7 @@ sub init {
}, },
"^deadline,(?:lessthan|greaterthan|equals|notequals),(-|\\+)?(\\d+)([dDwWmMyY])\$" => sub { "^deadline,(?:lessthan|greaterthan|equals|notequals),(-|\\+)?(\\d+)([dDwWmMyY])\$" => sub {
$v = SqlifyDate($v); $v = SqlifyDate($v);
$q = &::SqlQuote($v); $q = $dbh->quote($v);
}, },
"^commenter,(?:equals|anyexact),(%\\w+%)" => sub { "^commenter,(?:equals|anyexact),(%\\w+%)" => sub {
my $match = pronoun($1, $user); my $match = pronoun($1, $user);
...@@ -698,14 +702,14 @@ sub init { ...@@ -698,14 +702,14 @@ sub init {
my $table = "longdescs_$chartid"; my $table = "longdescs_$chartid";
push(@supptables, "INNER JOIN longdescs AS $table " . push(@supptables, "INNER JOIN longdescs AS $table " .
"ON $table.bug_id = bugs.bug_id"); "ON $table.bug_id = bugs.bug_id");
$term = "(($table.bug_when < " . &::SqlQuote(SqlifyDate($v)); $term = "(($table.bug_when < " . $dbh->quote(SqlifyDate($v));
$term .= ") AND ($table.work_time <> 0))"; $term .= ") AND ($table.work_time <> 0))";
}, },
"^work_time,changedafter" => sub { "^work_time,changedafter" => sub {
my $table = "longdescs_$chartid"; my $table = "longdescs_$chartid";
push(@supptables, "INNER JOIN longdescs AS $table " . push(@supptables, "INNER JOIN longdescs AS $table " .
"ON $table.bug_id = bugs.bug_id"); "ON $table.bug_id = bugs.bug_id");
$term = "(($table.bug_when > " . &::SqlQuote(SqlifyDate($v)); $term = "(($table.bug_when > " . $dbh->quote(SqlifyDate($v));
$term .= ") AND ($table.work_time <> 0))"; $term .= ") AND ($table.work_time <> 0))";
}, },
"^work_time," => sub { "^work_time," => sub {
...@@ -751,12 +755,14 @@ sub init { ...@@ -751,12 +755,14 @@ sub init {
COUNT(DISTINCT $table.bug_when) / COUNT(DISTINCT $table.bug_when) /
COUNT(bugs.bug_id)) + COUNT(bugs.bug_id)) +
bugs.remaining_time)))"; bugs.remaining_time)))";
$q = $dbh->quote($v);
trick_taint($q);
if ($t eq "regexp") { if ($t eq "regexp") {
push(@having, $dbh->sql_regexp($expression, &::SqlQuote($v))); push(@having, $dbh->sql_regexp($expression, $q));
} elsif ($t eq "notregexp") { } elsif ($t eq "notregexp") {
push(@having, $dbh->sql_not_regexp($expression, &::SqlQuote($v))); push(@having, $dbh->sql_not_regexp($expression, $q));
} else { } else {
push(@having, "$expression $oper " . &::SqlQuote($v)); push(@having, "$expression $oper " . $q);
} }
push(@groupby, "bugs.remaining_time"); push(@groupby, "bugs.remaining_time");
} }
...@@ -805,17 +811,17 @@ sub init { ...@@ -805,17 +811,17 @@ sub init {
my $field = $1; my $field = $1;
if ($t eq "changedby") { if ($t eq "changedby") {
$v = login_to_id($v, THROW_ERROR); $v = login_to_id($v, THROW_ERROR);
$q = &::SqlQuote($v); $q = $dbh->quote($v);
$field = "submitter_id"; $field = "submitter_id";
$t = "equals"; $t = "equals";
} elsif ($t eq "changedbefore") { } elsif ($t eq "changedbefore") {
$v = SqlifyDate($v); $v = SqlifyDate($v);
$q = &::SqlQuote($v); $q = $dbh->quote($v);
$field = "creation_ts"; $field = "creation_ts";
$t = "lessthan"; $t = "lessthan";
} elsif ($t eq "changedafter") { } elsif ($t eq "changedafter") {
$v = SqlifyDate($v); $v = SqlifyDate($v);
$q = &::SqlQuote($v); $q = $dbh->quote($v);
$field = "creation_ts"; $field = "creation_ts";
$t = "greaterthan"; $t = "greaterthan";
} }
...@@ -1061,7 +1067,9 @@ sub init { ...@@ -1061,7 +1067,9 @@ sub init {
if ($w eq "---" && $f !~ /milestone/) { if ($w eq "---" && $f !~ /milestone/) {
$w = ""; $w = "";
} }
push(@list, &::SqlQuote($w)); $q = $dbh->quote($w);
trick_taint($q);
push(@list, $q);
} }
if (@list) { if (@list) {
$term = "$ff IN (" . join (',', @list) . ")"; $term = "$ff IN (" . join (',', @list) . ")";
...@@ -1102,7 +1110,7 @@ sub init { ...@@ -1102,7 +1110,7 @@ sub init {
"ON $table.bug_id = bugs.bug_id " . "ON $table.bug_id = bugs.bug_id " .
"AND $table.fieldid = $fieldid " . "AND $table.fieldid = $fieldid " .
"AND $table.bug_when $operator " . "AND $table.bug_when $operator " .
&::SqlQuote(SqlifyDate($v)) ); $dbh->quote(SqlifyDate($v)) );
$term = "($table.bug_when IS NOT NULL)"; $term = "($table.bug_when IS NOT NULL)";
}, },
",(changedfrom|changedto)" => sub { ",(changedfrom|changedto)" => sub {
...@@ -1249,7 +1257,7 @@ sub init { ...@@ -1249,7 +1257,7 @@ sub init {
# e.g. bugs_activity.bug_id # e.g. bugs_activity.bug_id
# $t = type of query. e.g. "equal to", "changed after", case sensitive substr" # $t = type of query. e.g. "equal to", "changed after", case sensitive substr"
# $v = value - value the user typed in to the form # $v = value - value the user typed in to the form
# $q = sanitized version of user input (SqlQuote($v)) # $q = sanitized version of user input trick_taint(($dbh->quote($v)))
# @supptables = Tables and/or table aliases used in query # @supptables = Tables and/or table aliases used in query
# %suppseen = A hash used to store all the tables in supptables to weed # %suppseen = A hash used to store all the tables in supptables to weed
# out duplicates. # out duplicates.
...@@ -1258,11 +1266,8 @@ sub init { ...@@ -1258,11 +1266,8 @@ sub init {
# $suppstring = String which is pasted into query containing all table names # $suppstring = String which is pasted into query containing all table names
# get a list of field names to verify the user-submitted chart fields against # get a list of field names to verify the user-submitted chart fields against
&::SendSQL("SELECT name, fieldid FROM fielddefs"); %chartfields = @{$dbh->selectcol_arrayref(
while (&::MoreSQLData()) { q{SELECT name, fieldid FROM fielddefs}, { Columns=>[1,2] })};
my ($name, $id) = &::FetchSQLData();
$chartfields{$name} = $id;
}
$row = 0; $row = 0;
for ($chart=-1 ; for ($chart=-1 ;
...@@ -1295,7 +1300,8 @@ sub init { ...@@ -1295,7 +1300,8 @@ sub init {
# already know about it), or it was in %chartfields, so it is # already know about it), or it was in %chartfields, so it is
# a valid field name, which means that it's ok. # a valid field name, which means that it's ok.
trick_taint($f); trick_taint($f);
$q = &::SqlQuote($v); $q = $dbh->quote($v);
trick_taint($q);
my $rhs = $v; my $rhs = $v;
$rhs =~ tr/,//; $rhs =~ tr/,//;
my $func; my $func;
...@@ -1523,24 +1529,24 @@ sub ListIDsForEmail { ...@@ -1523,24 +1529,24 @@ sub ListIDsForEmail {
} }
$list = join(',', @list); $list = join(',', @list);
} elsif ($type eq 'substring') { } elsif ($type eq 'substring') {
&::SendSQL("SELECT userid FROM profiles WHERE " . my $sql_email = $dbh->quote($email);
$dbh->sql_position(lc(::SqlQuote($email)), "LOWER(login_name)") . trick_taint($sql_email);
" > 0 " . $dbh->sql_limit(51)); my $result = $dbh->selectcol_arrayref(
while (&::MoreSQLData()) { q{SELECT userid FROM profiles WHERE } .
my ($id) = &::FetchSQLData(); $dbh->sql_position(lc($sql_email), q{LOWER(login_name)}) .
push(@list, $id); q{ > 0 } . $dbh->sql_limit(51));
} @list = @{$result};
if (scalar(@list) < 50) { if (scalar(@list) < 50) {
$list = join(',', @list); $list = join(',', @list);
} }
} elsif ($type eq 'regexp') { } elsif ($type eq 'regexp') {
&::SendSQL("SELECT userid FROM profiles WHERE " . my $sql_email = $dbh->quote($email);
$dbh->sql_regexp("login_name", ::SqlQuote($email)) . trick_taint($sql_email);
" " . $dbh->sql_limit(51)); my $result = $dbh->selectcol_arrayref(
while (&::MoreSQLData()) { qq{SELECT userid FROM profiles WHERE } .
my ($id) = &::FetchSQLData(); $dbh->sql_regexp("login_name", $sql_email) .
push(@list, $id); q{ } . $dbh->sql_limit(51));
} @list = @{$result};
if (scalar(@list) < 50) { if (scalar(@list) < 50) {
$list = join(',', @list); $list = join(',', @list);
} }
...@@ -1554,13 +1560,10 @@ sub build_subselect { ...@@ -1554,13 +1560,10 @@ sub build_subselect {
my ($outer, $inner, $table, $cond) = @_; my ($outer, $inner, $table, $cond) = @_;
my $q = "SELECT $inner FROM $table WHERE $cond"; my $q = "SELECT $inner FROM $table WHERE $cond";
#return "$outer IN ($q)"; #return "$outer IN ($q)";
&::SendSQL($q); my $dbh = Bugzilla->dbh;
my @list; my $list = $dbh->selectcol_arrayref($q);
while (&::MoreSQLData()) { return "1=2" unless @$list; # Could use boolean type on dbs which support it
push (@list, &::FetchOneColumn()); return "$outer IN (" . join(',', @$list) . ")";
}
return "1=2" unless @list; # Could use boolean type on dbs which support it
return "$outer IN (" . join(',', @list) . ")";
} }
sub GetByWordList { sub GetByWordList {
...@@ -1572,7 +1575,8 @@ sub GetByWordList { ...@@ -1572,7 +1575,8 @@ sub GetByWordList {
my $word = $w; my $word = $w;
if ($word ne "") { if ($word ne "") {
$word =~ tr/A-Z/a-z/; $word =~ tr/A-Z/a-z/;
$word = &::SqlQuote(quotemeta($word)); $word = $dbh->quote(quotemeta($word));
trick_taint($word);
$word =~ s/^'//; $word =~ s/^'//;
$word =~ s/'$//; $word =~ s/'$//;
$word = '(^|[^a-z0-9])' . $word . '($|[^a-z0-9])'; $word = '(^|[^a-z0-9])' . $word . '($|[^a-z0-9])';
...@@ -1588,10 +1592,13 @@ sub GetByWordListSubstr { ...@@ -1588,10 +1592,13 @@ sub GetByWordListSubstr {
my ($field, $strs) = (@_); my ($field, $strs) = (@_);
my @list; my @list;
my $dbh = Bugzilla->dbh; my $dbh = Bugzilla->dbh;
my $sql_word;
foreach my $word (split(/[\s,]+/, $strs)) { foreach my $word (split(/[\s,]+/, $strs)) {
if ($word ne "") { if ($word ne "") {
push(@list, $dbh->sql_position(lc(::SqlQuote($word)), $sql_word = $dbh->quote($word);
trick_taint($word);
push(@list, $dbh->sql_position(lc($sql_word),
"LOWER($field)") . " > 0"); "LOWER($field)") . " > 0");
} }
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment