Bug 463688: editusers.cgi no longer lets you search for users using regular…

Bug 463688: editusers.cgi no longer lets you search for users using regular expressions - Patch by FrÃ©dÃ©ric Buclin <LpSolit@gmail.com> r=mkanat r=xiaoou a=LpSolit

Bug 463688: editusers.cgi no longer lets you search for users using regular…
33429813 · lpsolit%gmail.com · f21dafef · 33429813 · 33429813 · 33429813
Commit 33429813 authored Dec 03, 2008 by lpsolit%gmail.com
Showing with 38 additions and 28 deletions

DB.pm Bugzilla/DB.pm +6 -7

Mysql.pm Bugzilla/DB/Mysql.pm +6 -4

Oracle.pm Bugzilla/DB/Oracle.pm +7 -5

Pg.pm Bugzilla/DB/Pg.pm +6 -4

editusers.cgi editusers.cgi +13 -8

No files found.
--- a/Bugzilla/DB.pm
+++ b/Bugzilla/DB.pm
@@ -1556,6 +1556,11 @@ Abstract method, should be overridden by database specific code.

 =item C<$pattern> - the regular expression to search for (scalar)

+=item C<$nocheck> - true if the pattern should not be tested; false otherwise (boolean)
+
+=item C<$real_pattern> - the real regular expression to search for.
+This argument is used when C<$pattern> is a placeholder ('?').
+
 =back

 =item B<Returns>
@@ -1578,13 +1583,7 @@ Abstract method, should be overridden by database specific code.

 =item B<Params>

-=over
-
-=item C<$expr> - SQL expression for the text to be searched (scalar)
-
-=item C<$pattern> - the regular expression to search for (scalar)
-
-=back
+Same as L</sql_regexp>.

 =item B<Returns>


--- a/Bugzilla/DB/Mysql.pm
+++ b/Bugzilla/DB/Mysql.pm
@@ -136,17 +136,19 @@ sub sql_group_concat {
 }

 sub sql_regexp {
-    my ($self, $expr, $pattern, $nocheck) = @_;
+    my ($self, $expr, $pattern, $nocheck, $real_pattern) = @_;
+    $real_pattern ||= $pattern;

-    $self->bz_check_regexp($pattern) if !$nocheck;
+    $self->bz_check_regexp($real_pattern) if !$nocheck;

    return "$expr REGEXP $pattern";
 }

 sub sql_not_regexp {
-    my ($self, $expr, $pattern, $nocheck) = @_;
+    my ($self, $expr, $pattern, $nocheck, $real_pattern) = @_;
+    $real_pattern ||= $pattern;

-    $self->bz_check_regexp($pattern) if !$nocheck;
+    $self->bz_check_regexp($real_pattern) if !$nocheck;

    return "$expr NOT REGEXP $pattern";
 }

--- a/Bugzilla/DB/Oracle.pm
+++ b/Bugzilla/DB/Oracle.pm
@@ -99,7 +99,7 @@ sub bz_check_regexp {
    my ($self, $pattern) = @_;

    eval { $self->do("SELECT 1 FROM DUAL WHERE "
-          . $self->sql_regexp($self->quote("a"), $self->quote($pattern), 1)) };
+          . $self->sql_regexp($self->quote("a"), $pattern, 1)) };

    $@ && ThrowUserError('illegal_regexp',
        { value => $pattern, dberror => $self->errstr });
@@ -115,17 +115,19 @@ sub bz_explain {
 } 

 sub sql_regexp {
-    my ($self, $expr, $pattern, $nocheck) = @_;
+    my ($self, $expr, $pattern, $nocheck, $real_pattern) = @_;
+    $real_pattern ||= $pattern;

-    $self->bz_check_regexp($pattern) if !$nocheck;
+    $self->bz_check_regexp($real_pattern) if !$nocheck;

    return "REGEXP_LIKE($expr, $pattern)";
 }

 sub sql_not_regexp {
-    my ($self, $expr, $pattern, $nocheck) = @_;
+    my ($self, $expr, $pattern, $nocheck, $real_pattern) = @_;
+    $real_pattern ||= $pattern;

-    $self->bz_check_regexp($pattern) if !$nocheck;
+    $self->bz_check_regexp($real_pattern) if !$nocheck;

    return "NOT REGEXP_LIKE($expr, $pattern)" 
 }

--- a/Bugzilla/DB/Pg.pm
+++ b/Bugzilla/DB/Pg.pm
@@ -93,17 +93,19 @@ sub bz_last_key {
 }

 sub sql_regexp {
-    my ($self, $expr, $pattern, $nocheck) = @_;
+    my ($self, $expr, $pattern, $nocheck, $real_pattern) = @_;
+    $real_pattern ||= $pattern;

-    $self->bz_check_regexp($pattern) if !$nocheck;
+    $self->bz_check_regexp($real_pattern) if !$nocheck;

    return "$expr ~* $pattern";
 }

 sub sql_not_regexp {
-    my ($self, $expr, $pattern, $nocheck) = @_;
+    my ($self, $expr, $pattern, $nocheck, $real_pattern) = @_;
+    $real_pattern ||= $pattern;

-    $self->bz_check_regexp($pattern) if !$nocheck;
+    $self->bz_check_regexp($real_pattern) if !$nocheck;

    return "$expr !~* $pattern" 
 }

--- a/editusers.cgi
+++ b/editusers.cgi
@@ -136,23 +136,28 @@ if ($action eq 'search') {
            } else {
                $expr = "profiles.login_name";
            }
+
+            if ($matchstr =~ /^(regexp|notregexp|exact)$/) {
+                $matchstr ||= '.';
+            }
+            else {
+                $matchstr = '' unless defined $matchstr;
+            }
+            # We can trick_taint because we use the value in a SELECT only,
+            # using a placeholder.
+            trick_taint($matchstr);
+
            if ($matchtype eq 'regexp') {
-                $query .= $dbh->sql_regexp($expr, '?');
-                $matchstr = '.' unless $matchstr;
+                $query .= $dbh->sql_regexp($expr, '?', 0, $dbh->quote($matchstr));
            } elsif ($matchtype eq 'notregexp') {
-                $query .= $dbh->sql_not_regexp($expr, '?');
-                $matchstr = '.' unless $matchstr;
+                $query .= $dbh->sql_not_regexp($expr, '?', 0, $dbh->quote($matchstr));
            } elsif ($matchtype eq 'exact') {
                $query .= $expr . ' = ?';
-                $matchstr = '.' unless $matchstr;
            } else { # substr or unknown
                $query .= $dbh->sql_istrcmp($expr, '?', 'LIKE');
                $matchstr = "%$matchstr%";
            }
            $nextCondition = 'AND';
-            # We can trick_taint because we use the value in a SELECT only,
-            # using a placeholder.
-            trick_taint($matchstr);
            push(@bindValues, $matchstr);
        }