Feature #35073 » 0002-use-sanitize_sql_like-on-search-tokens.patch
| lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb | ||
|---|---|---|
| 155 | 155 |
def search_tokens_condition(columns, tokens, all_words) |
| 156 | 156 |
token_clauses = columns.map {|column| "(#{search_token_match_statement(column)})"}
|
| 157 | 157 |
sql = (['(' + token_clauses.join(' OR ') + ')'] * tokens.size).join(all_words ? ' AND ' : ' OR ')
|
| 158 |
[sql, * (tokens.collect {|w| "%#{w}%"} * token_clauses.size).sort]
|
|
| 158 |
[sql, * (tokens.collect {|w| "%#{ActiveRecord::Base.sanitize_sql_like w}%"} * token_clauses.size).sort]
|
|
| 159 | 159 |
end |
| 160 | 160 |
private :search_tokens_condition |
| 161 | 161 | |
| test/unit/search_test.rb | ||
|---|---|---|
| 150 | 150 |
assert_include issue, r |
| 151 | 151 |
end |
| 152 | 152 | |
| 153 |
def test_search_should_not_allow_like_injection |
|
| 154 |
issue = Issue.generate!(:subject => "asdf") |
|
| 155 | ||
| 156 |
r = Issue.search_results('as_f')
|
|
| 157 |
assert_not_include issue, r |
|
| 158 | ||
| 159 |
r = Issue.search_results('as%f')
|
|
| 160 |
assert_not_include issue, r |
|
| 161 |
end |
|
| 162 | ||
| 163 |
def test_search_should_find_underscore |
|
| 164 |
issue = Issue.generate!(:subject => "as_f") |
|
| 165 | ||
| 166 |
r = Issue.search_results('as_f')
|
|
| 167 |
assert_include issue, r |
|
| 168 |
end |
|
| 169 | ||
| 170 |
def test_search_should_find_percent_sign |
|
| 171 |
issue = Issue.generate!(:subject => "as%f") |
|
| 172 | ||
| 173 |
r = Issue.search_results('as%f')
|
|
| 174 |
assert_include issue, r |
|
| 175 |
end |
|
| 176 | ||
| 153 | 177 |
def test_search_should_be_case_insensitive_with_accented_characters |
| 154 | 178 |
unless sqlite? |
| 155 | 179 |
issue1 = Issue.generate!(:subject => "Special chars: ÖÖ") |