Modify

Opened 4 years ago

Closed 3 years ago

#8316 closed defect (fixed)

[PATCH] Problem with generating "links" in wiki text

Reported by: mickem Owned by: Blackhex
Priority: high Component: DiscussionPlugin
Severity: major Keywords:
Cc: Trac Release: 0.11

Description

Hello,

I noticed how some text (especially log pastings) break inside the wiki link generation thingy (wiki.py).
The reason seem to be that there is no check if the data is actually valid which means that:
message:whootwhoot will cause a problem (since whootwhoot is not a valid message id.

Patch (ish) pasted here.
Since you haven't applied the patch I submitted before (I think anyway) the "full patch" is bigger so I just grabbed the chunk regarding this issue.

As always I am not really sure if this is the proper way (I simply check if it s a number) I guess a better way is to also check for a valid message id as now message:999999999 will cause similar issues I guess since that message is not there...

Index: tracdiscussion/wiki.py
===================================================================
--- tracdiscussion/wiki.py      (Revision 9462)
+++ tracdiscussion/wiki.py      (Arbeitskopie)
@@ -127,6 +127,8 @@

     def _discussion_link(self, formatter, namespace, params, label):
         id = params
+        if not id.isdigit():
+          return '%s:%s'%(namespace, id)

         # Get database access.
         db = self.env.get_db_cnx()
@@ -137,9 +139,9 @@
             sql_values = {'id' : id}
             sql = ("SELECT f.subject "
                    "FROM forum f "
-                   "WHERE f.id = %(id)s" % (sql_values))
+                   "WHERE f.id = :id")
             self.log.debug(sql)
-            cursor.execute(sql)
+            cursor.execute(sql, sql_values)
             for row in cursor:
                 row = dict(zip(columns, row))
                 return html.a(label, href = formatter.href.discussion('forum',
@@ -152,9 +154,9 @@
             sql = ("SELECT t.forum, f.subject, t.subject "
                    "FROM topic t "
                    "LEFT JOIN forum f "
-                   "ON t.forum = f.id WHERE t.id = %(id)s" % (sql_values))
+                   "ON t.forum = f.id WHERE t.id = :id")
             self.log.debug(sql)
-            cursor.execute(sql)
+            cursor.execute(sql, sql_values)
             for row in cursor:
                 row = dict(zip(columns, row))
                 return html.a(label, href = '%s#-1' % \
@@ -172,10 +174,9 @@
                 "FROM forum) f, "
                 "(SELECT subject, id "
                 "FROM topic) t "
-              "WHERE m.forum = f.id AND m.topic = t.id AND m.id = %(id)s" %
-                (sql_values))
+              "WHERE m.forum = f.id AND m.topic = t.id AND m.id = :id")
             self.log.debug(sql)
-            cursor.execute(sql)
+            cursor.execute(sql, sql_values)
             for row in cursor:
                 row = dict(zip(columns, row))
                 return html.a(label, href = '%s#%s' % \

Attachments (0)

Change History (1)

comment:1 Changed 3 years ago by Blackhex

  • Resolution set to fixed
  • Status changed from new to closed

Concerning the allowed text in [forum:<id>] and others macros: The macro content is checked to be integer then missing link to forum with ID -1 is created.

Concerning the SQL arguments: :id syntax is IIRC not supported by SQLite implementation of cursor so I reverted to %s syntax with changeset r9787.

Add Comment

Modify Ticket

Action
as closed .
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from Blackhex. Next status will be 'closed'.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.