Modify

Opened 7 years ago

Closed 6 years ago

#8316 closed defect (fixed)

[PATCH] Problem with generating "links" in wiki text

Reported by: Michael Medin Owned by: Radek Bartoň
Priority: high Component: DiscussionPlugin
Severity: major Keywords:
Cc: Trac Release: 0.11

Description

Hello,

I noticed how some text (especially log pastings) break inside the wiki link generation thingy (wiki.py). The reason seem to be that there is no check if the data is actually valid which means that: message:whootwhoot will cause a problem (since whootwhoot is not a valid message id.

Patch (ish) pasted here. Since you haven't applied the patch I submitted before (I think anyway) the "full patch" is bigger so I just grabbed the chunk regarding this issue.

As always I am not really sure if this is the proper way (I simply check if it s a number) I guess a better way is to also check for a valid message id as now message:999999999 will cause similar issues I guess since that message is not there...

Index: tracdiscussion/wiki.py
===================================================================
--- tracdiscussion/wiki.py      (Revision 9462)
+++ tracdiscussion/wiki.py      (Arbeitskopie)
@@ -127,6 +127,8 @@

     def _discussion_link(self, formatter, namespace, params, label):
         id = params
+        if not id.isdigit():
+          return '%s:%s'%(namespace, id)

         # Get database access.
         db = self.env.get_db_cnx()
@@ -137,9 +139,9 @@
             sql_values = {'id' : id}
             sql = ("SELECT f.subject "
                    "FROM forum f "
-                   "WHERE f.id = %(id)s" % (sql_values))
+                   "WHERE f.id = :id")
             self.log.debug(sql)
-            cursor.execute(sql)
+            cursor.execute(sql, sql_values)
             for row in cursor:
                 row = dict(zip(columns, row))
                 return html.a(label, href = formatter.href.discussion('forum',
@@ -152,9 +154,9 @@
             sql = ("SELECT t.forum, f.subject, t.subject "
                    "FROM topic t "
                    "LEFT JOIN forum f "
-                   "ON t.forum = f.id WHERE t.id = %(id)s" % (sql_values))
+                   "ON t.forum = f.id WHERE t.id = :id")
             self.log.debug(sql)
-            cursor.execute(sql)
+            cursor.execute(sql, sql_values)
             for row in cursor:
                 row = dict(zip(columns, row))
                 return html.a(label, href = '%s#-1' % \
@@ -172,10 +174,9 @@
                 "FROM forum) f, "
                 "(SELECT subject, id "
                 "FROM topic) t "
-              "WHERE m.forum = f.id AND m.topic = t.id AND m.id = %(id)s" %
-                (sql_values))
+              "WHERE m.forum = f.id AND m.topic = t.id AND m.id = :id")
             self.log.debug(sql)
-            cursor.execute(sql)
+            cursor.execute(sql, sql_values)
             for row in cursor:
                 row = dict(zip(columns, row))
                 return html.a(label, href = '%s#%s' % \

Attachments (0)

Change History (1)

comment:1 Changed 6 years ago by Radek Bartoň

Resolution: fixed
Status: newclosed

Concerning the allowed text in [forum:<id>] and others macros: The macro content is checked to be integer then missing link to forum with ID -1 is created.

Concerning the SQL arguments: :id syntax is IIRC not supported by SQLite implementation of cursor so I reverted to %s syntax with changeset r9787.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Radek Bartoň.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.