Feature #35073 » 0002-use-sanitize_sql_like-on-search-tokens.patch
lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb | ||
---|---|---|
155 | 155 |
def search_tokens_condition(columns, tokens, all_words) |
156 | 156 |
token_clauses = columns.map {|column| "(#{search_token_match_statement(column)})"} |
157 | 157 |
sql = (['(' + token_clauses.join(' OR ') + ')'] * tokens.size).join(all_words ? ' AND ' : ' OR ') |
158 |
[sql, * (tokens.collect {|w| "%#{w}%"} * token_clauses.size).sort] |
|
158 |
[sql, * (tokens.collect {|w| "%#{ActiveRecord::Base.sanitize_sql_like w}%"} * token_clauses.size).sort]
|
|
159 | 159 |
end |
160 | 160 |
private :search_tokens_condition |
161 | 161 |
test/unit/search_test.rb | ||
---|---|---|
150 | 150 |
assert_include issue, r |
151 | 151 |
end |
152 | 152 | |
153 |
def test_search_should_not_allow_like_injection |
|
154 |
issue = Issue.generate!(:subject => "asdf") |
|
155 | ||
156 |
r = Issue.search_results('as_f') |
|
157 |
assert_not_include issue, r |
|
158 | ||
159 |
r = Issue.search_results('as%f') |
|
160 |
assert_not_include issue, r |
|
161 |
end |
|
162 | ||
163 |
def test_search_should_find_underscore |
|
164 |
issue = Issue.generate!(:subject => "as_f") |
|
165 | ||
166 |
r = Issue.search_results('as_f') |
|
167 |
assert_include issue, r |
|
168 |
end |
|
169 | ||
170 |
def test_search_should_find_percent_sign |
|
171 |
issue = Issue.generate!(:subject => "as%f") |
|
172 | ||
173 |
r = Issue.search_results('as%f') |
|
174 |
assert_include issue, r |
|
175 |
end |
|
176 | ||
153 | 177 |
def test_search_should_be_case_insensitive_with_accented_characters |
154 | 178 |
unless sqlite? |
155 | 179 |
issue1 = Issue.generate!(:subject => "Special chars: ÖÖ") |