Project

General

Profile

Download (1.75 KB)

Feature #35073 » 0004-use-sanitize_sql_like-in-Query-sql_contains.patch

Jens Krämer, 2021-04-12 08:44

View differences:

app/models/query.rb
1429 1429 
    prefix = '%' if options[:ends_with]
1430 1430 
    suffix = '%' if options[:starts_with]
1431 1431 
    prefix = suffix = '%' if prefix.nil? && suffix.nil?
1432 
    value = queried_class.sanitize_sql_like value
1432 1433 
    queried_class.send(
1433 1434 
      :sanitize_sql_for_conditions,
1434 1435 
      [Redmine::Database.like(db_field, '?', :match => options[:match]), "#{prefix}#{value}#{suffix}"])
test/unit/query_test.rb
2654 2654 
    # Non-paginated issue ids and paginated issue ids should be in the same order.
2655 2655 
    assert_equal issue_ids, paginated_issue_ids
2656 2656 
  end
2657 

  		




  
  2658
  
    
  def test_sql_contains_should_escape_value

  		




  
  2659
  
    
    i = Issue.generate! subject: 'Sanitize test'

  		




  
  2660
  
    
    query = IssueQuery.new(:project => nil, :name => '_')

  		




  
  2661
  
    
    query.add_filter('subject', '~', ['te%t'])

  		




  
  2662
  
    
    assert_equal 0, query.issue_count

  		




  
  2663
  
    

  		




  
  2664
  
    
    i.update_column :subject, 'Sanitize te%t'

  		




  
  2665
  
    
    assert_equal 1, query.issue_count

  		




  
  2666
  
    

  		




  
  2667
  
    
    i.update_column :subject, 'Sanitize te_t'

  		




  
  2668
  
    
    query = IssueQuery.new(:project => nil, :name => '_')

  		




  
  2669
  
    
    query.add_filter('subject', '~', ['te_t'])

  		




  
  2670
  
    
    assert_equal 1, query.issue_count

  		




  
  2671
  
    
  end

  		




  2657
  2672
  
    
end

  		















  (2-2/8)