Bug: Search fails if single quote included
If you search for the word don't you don't show any hits.Test case
Simple search for the word don't. Doesn't show any pages.Environment
| TWiki version: | latest alpha |
| TWiki plugins: | N/A |
| Server OS: | linux |
| Web server: | Apache |
| Perl version: | 5.6.1 |
| Client OS: | Windows 2000 |
| Web Browser: | IE, opera |
Fix idea
This fix is more involved than the fix for SearchFailsIfStartedWithDash. I think something like the following will work though, but it depends on a bourne like shell. In the code the search string is detainted around line 278. What also needs to be done is to have the ' escaped somehow because the search string that is exec'ed is surrounded by $TWiki::cmdQuotes. However a single quote can't be escaped within single quotes. We can remove the single quote. This makes the search useless in the simple search case, but replacing it by a . may work for the regexp case. However maybe we can do something else entirely. If we change $TWiki::cmdQuotes to double quotes, then we can use an expression like:$cmd =~ s/[$TWiki::EliminateCharsFromSearch]//go if $TWiki::EliminateCharsFromSearch; $cmd =~ s/(["'`$])/\\$1/gwith:
$EliminateCharsFromSearch=q(`);in TWiki.cfg. This will replace ' by \', " by \", and $ by \$ and eliminate `, or replace it with \`. The problem is that we now have to filter every string that is surrounded by $TWiki::cmdQuotes. Actually on a fast second look at the code, it may not be that bad. It think there are only a couple of places in Search.pm where this filtering may have to be done because the items being placed in the quotes are being detainted first. I think the use of $TWiki::cmdQuotes in the ciDateCmd are surrounding untainted data. However, I am not sure about the use in ciCmd. Tracing through, it looks like upload may pass tainted data whichis hidden by detainting of $cmd in _ci allowing it to be passed. I think cleaning the comment _ci in RcsWrap.pm will do the trick. So something like:
$comment = "none" if ( ! $comment ); + $comment =~ s/(["'`$])/\\$1/g $cmd =~ s//$comment/; in RcsWrap::_ci may work. Again this assumes that $TWiki::cmdQuotes is ". -- JohnRouillard - 07 Aug 2002
Follow up
Fix record
Edit | Attach | Topic revision: r1 - 2002-08-07 - JohnRouillard
Site map
Blog web
Create New Topic
Index
Search
Advanced search
My topics of interest
Changes
Major changes only
All tags
Notifications
RSS Feed
Statistics
Preferences
Community 
Readme first
Developers News
How you can help
Community roles
#twiki IRC
Lima Release
Feature Proposals
Bugs Changes
Categories 
Account 
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.