Bug:

from - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=152515

For upstream. This may be fixed, but I can't make any sense of their bugtracking system.

If one searches for, for example, "---++ " then when this is passed to grep inside Search.pm, it turns into an option. Using "-e" prevents this:

    if( $theScope eq "topic" ) {
        $cmd = "$TWiki::lsCmd *.txt | %GREP% %SWITCHES% -e $TWiki::cmdQuote$theSearchVal$TWiki::cmdQuote";
    } else {
        $cmd = "%GREP% %SWITCHES% -l -e $TWiki::cmdQuote$theSearchVal$TWiki::cmdQuote *.txt";
    }

There may be a better way.

I'd have to think a bit, and trace the code, to decide if one can pervert this or the unmodified version to execute arbitrary code on the system. (Inserting backticks or unmatched quotes or semicolons, etc.)

Test case

Patch

--- lib/TWiki/Search.pm.orig    2003-09-15 06:39:07.000000000 +1000
+++ lib/TWiki/Search.pm 2003-09-15 06:39:51.000000000 +1000
@@ -210,9 +210,9 @@
     # locales if needed, for case-insensitive searching.
     my $cmd = "";
     if( $theScope eq "topic" ) {
-        $cmd = "$TWiki::lsCmd %FILES% | %GREP% %SWITCHES% $TWiki::cmdQuote%TOKEN%$TWiki::cmdQuote";
+        $cmd = "$TWiki::lsCmd %FILES% | %GREP% %SWITCHES% -e  $TWiki::cmdQuote%TOKEN%$TWiki::cmdQuote";
     } else {
-        $cmd = "%GREP% %SWITCHES% -l $TWiki::cmdQuote%TOKEN%$TWiki::cmdQuote %FILES%";
+        $cmd = "%GREP% %SWITCHES% -l -e $TWiki::cmdQuote%TOKEN%$TWiki::cmdQuote %FILES%";
     }
 
     if( $caseSensitive ) {

Environment

-- SvenDowideit - 14 Sep 2003

Follow up

this is obviously resolved in TWikiRelease01Feb2003 using grep --

sorry, brainfart inprogress

-- SvenDowideit - 14 Sep 2003

No problem, better to double check. This is a duplicate of the SearchFailsIfStartedWithDash fix.

-- PeterThoeny - 14 Sep 2003