Nemcio/Redmine
1
0
Fork 0
mirror of https://github.com/redmine/redmine.git synced 2025-11-15 17:56:03 +01:00
Code Issues Packages Projects Releases Activity

Use sanitize_sql_like in Query#sql_contains (#35073).

Browse Source 
Patch by Jens Krämer.

git-svn-id: http://svn.redmine.org/redmine/trunk@21232 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
Marius Balteanu
2021-10-03 19:45:20 +00:00
parent 05e9d7883b
commit 0ec96f52f3
2 changed files with 16 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
app/models/query.rb
View File

@@ -1441,6 +1441,7 @@ class Query < ActiveRecord::Base
prefix = '%' if options[:ends_with]
suffix = '%' if options[:starts_with]
prefix = suffix = '%' if prefix.nil? && suffix.nil?
value = queried_class.sanitize_sql_like value
queried_class.send(
:sanitize_sql_for_conditions,
[Redmine::Database.like(db_field, '?', :match => options[:match]), "#{prefix}#{value}#{suffix}"])

15
test/unit/query_test.rb
View File

@@ -2811,4 +2811,19 @@ class QueryTest < ActiveSupport::TestCase
end
end
end
def test_sql_contains_should_escape_value
i = Issue.generate! subject: 'Sanitize test'
query = IssueQuery.new(:project => nil, :name => '_')
query.add_filter('subject', '~', ['te%t'])
assert_equal 0, query.issue_count
i.update_column :subject, 'Sanitize te%t'
assert_equal 1, query.issue_count
i.update_column :subject, 'Sanitize te_t'
query = IssueQuery.new(:project => nil, :name => '_')
query.add_filter('subject', '~', ['te_t'])
assert_equal 1, query.issue_count
end
end