[kforge-dev] beta site up: knowledgeforge.net

John Bywater john.bywater at appropriatesoftwarefoundation.org
Tue Nov 1 11:22:25 UTC 2005

Just to say that I've fixed this KForge bug now.

KForge is now using sqlobject.converters.sqlrepr to escape search input 
before it is made into an SQL expression.

Also, the search string is also HTML character encoded before 
initialising the form (so using a " in the query doesn't truncate the 

Also, the search terms are now taken as space separated terms (but there 
isn't any other syntax).

Also, the search now uses a number of attributes of the domain object. 
So searching for people searches unixname and realname, and searching 
for projects uses unixname and title. And it's easy to change.

I've committed this code this morning. Yesterday, kforge.net was down 
(for me).

Best, John.

PS Nick: I heard some of your posts didn't get through to the list... 
Please could you repost them?

Nick Stenning wrote:

>Just realised that that sounded a bit patronising. I'm sure you all
>know full well the consequences of passing raw SQL into the db =)
>On 10/21/05, Nick Stenning <nick at whiteink.com> wrote:
>>Dear All,
>>Just noticed a potentially very nasty bug.
>>The people and project search fields are currently being passed in as
>>SQL unescaped. So you can cause a traceback by searching for something
>>with a single apostrophe in it, and could I imagine also drop
>>rows/tables with a bit of SQL.
>>This is probably Django's fault but it should probably be fixed soonish!

More information about the kforge-dev mailing list