Modify

Opened 17 months ago

Closed 17 months ago

Last modified 17 months ago

#10890 closed defect (fixed)

OperationalError: near "13": syntax error

Reported by: douglasmarquardt@… Owned by: falkb
Priority: normal Component: SimpleMultiProjectPlugin
Severity: normal Keywords:
Cc: Trac Release:

Description

After installing this plugin, I got the attached error when I click at Roadmaps.

Attachments (1)

trac-bug.txt (3.3 KB) - added by douglasmarquardt@… 17 months ago.
Error page content when clicking Roadmap

Download all attachments as: .zip

Change History (24)

comment:1 follow-up: Changed 17 months ago by douglasmarquardt@…

I can't add any comment here. http://trac-hacks.org/ is giving me an error.

Changed 17 months ago by douglasmarquardt@…

Error page content when clicking Roadmap

comment:2 Changed 17 months ago by douglasmarquardt@…

Error attached to the ticket.

comment:3 in reply to: ↑ 1 ; follow-up: Changed 17 months ago by rjollos

Replying to douglasmarquardt@gmail.com:

I can't add any comment here. http://trac-hacks.org/ is giving me an error.

What is the error? Was it rejecting the content as spam? That is a known problem that we can't do much about atm, but it might help if you register for an account.

comment:4 follow-up: Changed 17 months ago by falkb

Your file reports a syntax error which is quite strange. I also have Trac 1.0 with SQLite and it works pretty well. What does that "13" mean in your error message OperationalError: near "13": syntax error ? Have you accidentally edited the file and inserted 13?

comment:5 in reply to: ↑ 3 ; follow-up: Changed 17 months ago by douglasmarquardt@…

Replying to rjollos:

Replying to douglasmarquardt@gmail.com:

I can't add any comment here. http://trac-hacks.org/ is giving me an error.

What is the error? Was it rejecting the content as spam? That is a known problem that we can't do much about atm, but it might help if you register for an account.

I could add comments and attachments after that. I'm sorry, but I didn't save the error I got. The http://trac-hacks.org is working now.

comment:6 in reply to: ↑ 4 Changed 17 months ago by douglasmarquardt@…

Replying to falkb:

Your file reports a syntax error which is quite strange. I also have Trac 1.0 with SQLite and it works pretty well. What does that "13" mean in your error message OperationalError: near "13": syntax error ? Have you accidentally edited the file and inserted 13?

No, I didn't edited any file. I don't use to customize any Trac and/or plugin code. I don't know what that mean either. One detail is that if disable the "SmpRoadmapProject — Groups milestones by 'Project'" checkbox at the plugins' admin page, I can load the Roadmap page successfully. However, the unchecked feature is not being presented of course.

comment:7 in reply to: ↑ 5 Changed 17 months ago by anonymous

Replying to douglasmarquardt@gmail.com:

I could add comments and attachments after that. I'm sorry, but I didn't save the error I got.

It was probably the common "database is locked error" then. That's another that doesn't have a quick fix, but usually the problem will go away after a short wait.

comment:8 Changed 17 months ago by falkb

Can you open trac.db with Sqlitedatabasebrowser and tell me if table smp_milestone_project exists? What is the sources of your "build/bdist.linux-i686/egg/trac/db/sqlite_backend.py", line 48? A click on the callstack should tell you.

comment:9 Changed 17 months ago by douglasmarquardt@…

The table exists. I used the Linux sqlite3 program to open the database and check the smp_milestone_project existence. It's there.

sdadm:/trac_root/db# sqlite3 trac.db
SQLite version 3.5.9
Enter ".help" for instructions
sqlite> .schema smp_milestone_project
CREATE TABLE smp_milestone_project (
    id integer PRIMARY KEY,
    milestone varchar(255),
    id_project integer
);

Please find below what it has at the line 48

43	    sqlite_version_string = sqlite.sqlite_version
44	 
45	    class PyFormatCursor(sqlite.Cursor):
46	        def _rollback_on_error(self, function, *args, **kwargs):
47	            try:
48	                return function(self, *args, **kwargs)
49	            except sqlite.DatabaseError:
50	                self.cnx.rollback()
51	                raise
52	        def execute(self, sql, args=None):
53	            if args:

comment:10 Changed 17 months ago by falkb

no idea anymore :( Is milestone that goes into function get_project_milestone() maybe None here? Can you check this?

comment:11 follow-up: Changed 17 months ago by falkb

or is 13 probably the name of the milestone or of the project?

comment:12 Changed 17 months ago by jun66j5

It seems that the plugin has SQL injection. When the milestone name is Project'13, that issue probably will happen. We must not use string-formatting. See t:wiki:TracDev/DatabaseApi#Parameterpassing.

The example is the following. The other methods in model.py have still the same issue.

  • simplemultiproject/model.py

     
    208208                        smp_project AS p, 
    209209                        smp_milestone_project AS m 
    210210                   WHERE 
    211                         m.milestone='%s' and 
    212                         m.id_project = p.id_project""" % (milestone) 
     211                        m.milestone=%s and 
     212                        m.id_project = p.id_project""" 
    213213 
    214         cursor.execute(query) 
     214        cursor.execute(query, [milestone]) 
    215215        return cursor.fetchone() 
    216216 
    217217    def get_id_project_milestone(self,milestone): 

comment:13 Changed 17 months ago by rjollos

Jun's patch looks good to me.

comment:14 Changed 17 months ago by falkb

again I've learnt a lot, thanks for the review! I'm gonna patch it on Monday... stay tuned

comment:15 Changed 17 months ago by falkb

  • Owner changed from crossroad to falkb
  • Status changed from new to assigned

comment:16 Changed 17 months ago by falkb

(In [12659]) bugfix (refs #10890): removed possibility of SQL injections; plugin likely can stand project names like Project'13 now, thanks to jun66j5

comment:17 follow-up: Changed 17 months ago by falkb

@Douglas: please, test! @jun66j5+rjollos: please, review! TIA

comment:18 in reply to: ↑ 11 Changed 17 months ago by dougbm

Replying to falkb:

or is 13 probably the name of the milestone or of the project?

Yes, there are milestones with the current year out there, like "SD/DECS June'13 Release IT1"

comment:19 in reply to: ↑ 17 Changed 17 months ago by dougbm

Replying to falkb:

@Douglas: please, test! @jun66j5+rjollos: please, review! TIA

I've never applied a patch before. Can you teach me?

comment:20 Changed 17 months ago by falkb

You just have to download the latest version, or update from SVN. I've committed the patch already.

comment:21 Changed 17 months ago by dougbm

I downloaded the latest version and updated my Trac instance. All is working fine now. Thank you very much for all the help.

comment:22 Changed 17 months ago by falkb

  • Resolution set to fixed
  • Status changed from assigned to closed

You're welcome. It's another piece in the puzzle of stability. Kudos to jun66j5.

comment:23 Changed 17 months ago by falkb

(In [12662]) bugfix (refs #10890): further testing revealed [12659] was not fully water-proofed, this should fix the project_id SQL argument (dougbm, please update again)

Add Comment

Modify Ticket

Action
as closed .
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from falkb. Next status will be 'closed'.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.