[kforge-dev] beta site up: knowledgeforge.net
john.bywater at appropriatesoftwarefoundation.org
Tue Nov 1 11:22:25 UTC 2005
Just to say that I've fixed this KForge bug now.
KForge is now using sqlobject.converters.sqlrepr to escape search input
before it is made into an SQL expression.
Also, the search string is also HTML character encoded before
initialising the form (so using a " in the query doesn't truncate the
Also, the search terms are now taken as space separated terms (but there
isn't any other syntax).
Also, the search now uses a number of attributes of the domain object.
So searching for people searches unixname and realname, and searching
for projects uses unixname and title. And it's easy to change.
I've committed this code this morning. Yesterday, kforge.net was down
PS Nick: I heard some of your posts didn't get through to the list...
Please could you repost them?
Nick Stenning wrote:
>Just realised that that sounded a bit patronising. I'm sure you all
>know full well the consequences of passing raw SQL into the db =)
>On 10/21/05, Nick Stenning <nick at whiteink.com> wrote:
>>Just noticed a potentially very nasty bug.
>>The people and project search fields are currently being passed in as
>>SQL unescaped. So you can cause a traceback by searching for something
>>with a single apostrophe in it, and could I imagine also drop
>>rows/tables with a bit of SQL.
>>This is probably Django's fault but it should probably be fixed soonish!
More information about the kforge-dev