|Anonymous | Login | Signup for a new account||2021-04-16 21:26 BST|
|Main | My View | View Issues | Change Log | Roadmap|
|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0001822||SiT!||plugins||public||2012-12-05 22:01||2013-07-06 17:19|
|Product Version||3.67 LTS|
|Target Version||3.68||Fixed in Version||Current SVN|
|Summary||0001822: Incident creation from inbound email fails when subject contains quote|
|Description||I'm not entirely sure if this is a problem just with the auto_create_tags plugin or if it's a problem with the create_incident() function, but when an inbound email is processed, the incident creation fails if there is a quote (') in the subject line. The debug log shows the following error for an email with "Leaky faucet in 4th floor men's room" as the subject:|
2012-12-05T12:49:04-08:00 auto.php Application Warning  MySQL Query Error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's room%'' at line 1 (in line 605 of file auto_create_tags.php)
2012-12-05T12:49:04-08:00 auto.php Warning  mysql_num_rows() expects parameter 1 to be resource, boolean given (in line 608 of file auto_create_tags.php)
2012-12-05T12:49:04-08:00 auto.php Auto_create_tags - Duplicate check = 1(1 = No duplicates 0 = Duplicates found
2012-12-05T12:49:04-08:00 auto.php Application Error  MySQL Query Error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's room', '0', '132', '1', 'standard', '1', '' at line 1 (in line 87 of file incident.inc.php)
[title] => Leaky faucet in 4th floor men's room
[contact] => 132
[servicelevel] => standard
[software] => 2
[priority] => 1
[owner] => 0
[status] => 1
[opened] => 1354740542
[lastupdated] => 1354740542
[now] => 1354740542
[dbIncidents] => incidents
[dbUpdates] => updates
[sql] => INSERT INTO `incidents` (title, owner, contact, priority, servicelevel, status, maintenanceid, product, softwareid, productversion, productservicepacks, opened, lastupdated) VALUES ('Leaky faucet in 4th floor men's room', '0', '132', '1', 'standard', '1', '', '', '2', '', '', '1354740542', '1354740542')
|Steps To Reproduce||Send email to support inbox with a quote in the subject line|
|Tags||No tags attached.|
|Attached Files||cleanvar.patch [^] (1,069 bytes) 2012-12-07 19:44 [Show Content]|
I cannot reproduce this on a system that doesn't have the mentioned plugins.
can you try and disable the plugin to see if that helps ?
|reclassifying this as Crash, assuming it can be confirmed.|
|Oops, 'crash' not major.|
|Ok, after disabling the auto_create_tags plugin (sorry I didn't think to do that in the first place) incoming emails are turned into new incidents regardless of whether or not they have a quote in the subject line. Also, I dug around in the code a bit and I can almost fix this by adding a addslashes() around where the subject gets passed into the create_incident() function on line 300 of auto_create_tags.php. Unfortunately, if I do that, the subject of the response email that is sent to the customer ends up with a slash in it.|
|I just noticed that I get the slash in the subject line of the first response email after assigning it, anyway. Is that something that can be fixed or is it something that developers have decided is acceptable? Just curious.|
This could be addressed by doing a stripslashes() call on any output that is retrieved by the script accessing the database.
Obviously adding slashes is a security feature, so it'll be stored in the database as men\'s. When being displayed a strip slashes would allow output of men's without compromising security.
Just to make clear
The plugin is a third-party developed plugin.
you can see the plugins that doesn't say "SiT Developers"
are third-party created plugins (including my own "Carsten Jensen")
instead of addslashes() you should use mysql_real_escape_string() function
or the better SiT built-in function clean_var()
after using this, I don't think it's neccessary to use stripslashes().
Ok. Good to know.
The plugin page on the wiki indicates that problems with that plugin should be reported here. Is that not accurate?
bug reporting for that plugin here is fine, the developer has access to here, hence the notice. that wasn't my point though.
Lets stick to bug reporting here and move to the forum for discussions around plugins and off-topic subjects please.
|I'm not sure what the difference is between 3.66 and 3.67p1 (I'm sure the main thing was a security fix to setup.php) but on 3.66 I just logged in as a contact and created an incident with title ' and description ' and the title is displayed correctly, the description however is not. The description is displayed as \' which means the slashes are not being pulled out like they are for the title.|
this is offtopic, please move to the forum or create a new bug report
|I just uploaded a quick patch that will fix this issue. It just adds cleanvar(), as suggested by Tomse, around the $origsubject when it gets passed into the create_incident() function.|
|Can reproduce this in the auto_create_tags plugin|
|r7565 merges this patch, thanks for you assistence|
|2012-12-05 22:01||ringram74||New Issue|
|2012-12-06 08:37||Tomse||Note Added: 0004597|
|2012-12-06 08:37||Tomse||Assigned To||=> Tomse|
|2012-12-06 08:37||Tomse||Status||new => feedback|
|2012-12-06 08:37||Tomse||Assigned To||Tomse =>|
|2012-12-06 11:18||ivan||Note Added: 0004598|
|2012-12-06 11:18||ivan||Severity||minor => major|
|2012-12-06 11:19||ivan||Note Added: 0004599|
|2012-12-06 11:19||ivan||Severity||major => crash|
|2012-12-06 16:13||ringram74||Note Added: 0004600|
|2012-12-06 16:13||ringram74||Status||feedback => new|
|2012-12-06 17:42||ringram74||Note Added: 0004601|
|2012-12-06 19:25||FlyingScotsman||Note Added: 0004602|
|2012-12-06 20:39||Tomse||Note Added: 0004603|
|2012-12-06 20:44||ringram74||Note Added: 0004604|
|2012-12-06 20:50||Tomse||Note Added: 0004605|
|2012-12-06 20:51||FlyingScotsman||Note Added: 0004606|
|2012-12-06 20:55||Tomse||Note Added: 0004607|
|2012-12-07 19:44||ringram74||File Added: cleanvar.patch|
|2012-12-07 19:45||ringram74||Note Added: 0004610|
|2013-02-03 15:21||paulh||Note Added: 0004665|
|2013-02-03 15:21||paulh||Status||new => confirmed|
|2013-02-03 15:21||paulh||Category||inbound email => plugins|
|2013-02-04 20:33||paulh||Note Added: 0004692|
|2013-02-04 20:33||paulh||Assigned To||=> paulh|
|2013-02-04 20:33||paulh||Status||confirmed => assigned|
|2013-02-04 20:33||paulh||Fixed in Version||=> Current SVN|
|2013-02-04 20:35||paulh||Status||assigned => resolved|
|2013-07-06 17:19||ivan||Target Version||=> 3.68|
|Copyright © 2000 - 2021 MantisBT Team|