SiT! Bugs

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001822SiT!pluginspublic2012-12-05 22:012013-07-06 17:19
Reporterringram74 
Assigned Topaulh 
PrioritynormalSeveritycrashReproducibilityalways
StatusresolvedResolutionopen 
PlatformLinuxOSCentOSOS Version6.3
Product Version3.67 LTS 
Target Version3.68Fixed in VersionCurrent SVN 
Summary0001822: Incident creation from inbound email fails when subject contains quote
DescriptionI'm not entirely sure if this is a problem just with the auto_create_tags plugin or if it's a problem with the create_incident() function, but when an inbound email is processed, the incident creation fails if there is a quote (') in the subject line. The debug log shows the following error for an email with "Leaky faucet in 4th floor men's room" as the subject:

2012-12-05T12:49:04-08:00 auto.php Application Warning [512] MySQL Query Error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's room%'' at line 1 (in line 605 of file auto_create_tags.php)
2012-12-05T12:49:04-08:00 auto.php Warning [2] mysql_num_rows() expects parameter 1 to be resource, boolean given (in line 608 of file auto_create_tags.php)
2012-12-05T12:49:04-08:00 auto.php Auto_create_tags - Duplicate check = 1(1 = No duplicates 0 = Duplicates found
2012-12-05T12:49:04-08:00 auto.php Application Error [256] MySQL Query Error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's room', '0', '132', '1', 'standard', '1', '' at line 1 (in line 87 of file incident.inc.php)
Context: [CONTEXT-BEGIN]
Array
(
    [title] => Leaky faucet in 4th floor men's room
    [contact] => 132
    [servicelevel] => standard
    [contract] =>
    [product] =>
    [software] => 2
    [priority] => 1
    [owner] => 0
    [status] => 1
    [productversion] =>
    [productservicepacks] =>
    [opened] => 1354740542
    [lastupdated] => 1354740542
    [now] => 1354740542
    [dbIncidents] => incidents
    [dbUpdates] => updates
    [sit] =>
    [sql] => INSERT INTO `incidents` (title, owner, contact, priority, servicelevel, status, maintenanceid, product, softwareid, productversion, productservicepacks, opened, lastupdated) VALUES ('Leaky faucet in 4th floor men's room', '0', '132', '1', 'standard', '1', '', '', '2', '', '', '1354740542', '1354740542')
    [result] =>
)

[CONTEXT-END]
----------
Steps To ReproduceSend email to support inbox with a quote in the subject line
TagsNo tags attached.
Attached Filespatch file icon cleanvar.patch [^] (1,069 bytes) 2012-12-07 19:44 [Show Content]

- Relationships

-  Notes
User avatar (0004597)
Tomse (developer)
2012-12-06 08:37

I cannot reproduce this on a system that doesn't have the mentioned plugins.

can you try and disable the plugin to see if that helps ?
User avatar (0004598)
ivan (administrator)
2012-12-06 11:18

reclassifying this as Crash, assuming it can be confirmed.
User avatar (0004599)
ivan (administrator)
2012-12-06 11:19

Oops, 'crash' not major.
(0004600)
ringram74 (reporter)
2012-12-06 16:13

Ok, after disabling the auto_create_tags plugin (sorry I didn't think to do that in the first place) incoming emails are turned into new incidents regardless of whether or not they have a quote in the subject line. Also, I dug around in the code a bit and I can almost fix this by adding a addslashes() around where the subject gets passed into the create_incident() function on line 300 of auto_create_tags.php. Unfortunately, if I do that, the subject of the response email that is sent to the customer ends up with a slash in it.
(0004601)
ringram74 (reporter)
2012-12-06 17:42

I just noticed that I get the slash in the subject line of the first response email after assigning it, anyway. Is that something that can be fixed or is it something that developers have decided is acceptable? Just curious.
(0004602)
FlyingScotsman (reporter)
2012-12-06 19:25

This could be addressed by doing a stripslashes() call on any output that is retrieved by the script accessing the database.

Obviously adding slashes is a security feature, so it'll be stored in the database as men\'s. When being displayed a strip slashes would allow output of men's without compromising security.
User avatar (0004603)
Tomse (developer)
2012-12-06 20:39

Just to make clear
The plugin is a third-party developed plugin.
you can see the plugins that doesn't say "SiT Developers"
are third-party created plugins (including my own "Carsten Jensen")
http://sitracker.org/wiki/Plugins_Directory [^]

instead of addslashes() you should use mysql_real_escape_string() function
or the better SiT built-in function clean_var()

after using this, I don't think it's neccessary to use stripslashes().
(0004604)
ringram74 (reporter)
2012-12-06 20:44

Ok. Good to know.
The plugin page on the wiki indicates that problems with that plugin should be reported here. Is that not accurate?
User avatar (0004605)
Tomse (developer)
2012-12-06 20:50

bug reporting for that plugin here is fine, the developer has access to here, hence the notice. that wasn't my point though.
Lets stick to bug reporting here and move to the forum for discussions around plugins and off-topic subjects please.
(0004606)
FlyingScotsman (reporter)
2012-12-06 20:51

I'm not sure what the difference is between 3.66 and 3.67p1 (I'm sure the main thing was a security fix to setup.php) but on 3.66 I just logged in as a contact and created an incident with title ' and description ' and the title is displayed correctly, the description however is not. The description is displayed as \' which means the slashes are not being pulled out like they are for the title.
User avatar (0004607)
Tomse (developer)
2012-12-06 20:55

@FlyingScotsman.

this is offtopic, please move to the forum or create a new bug report
(0004610)
ringram74 (reporter)
2012-12-07 19:45

I just uploaded a quick patch that will fix this issue. It just adds cleanvar(), as suggested by Tomse, around the $origsubject when it gets passed into the create_incident() function.
User avatar (0004665)
paulh (administrator)
2013-02-03 15:21

Can reproduce this in the auto_create_tags plugin
User avatar (0004692)
paulh (administrator)
2013-02-04 20:33

r7565 merges this patch, thanks for you assistence

- Issue History
Date Modified Username Field Change
2012-12-05 22:01 ringram74 New Issue
2012-12-06 08:37 Tomse Note Added: 0004597
2012-12-06 08:37 Tomse Assigned To => Tomse
2012-12-06 08:37 Tomse Status new => feedback
2012-12-06 08:37 Tomse Assigned To Tomse =>
2012-12-06 11:18 ivan Note Added: 0004598
2012-12-06 11:18 ivan Severity minor => major
2012-12-06 11:19 ivan Note Added: 0004599
2012-12-06 11:19 ivan Severity major => crash
2012-12-06 16:13 ringram74 Note Added: 0004600
2012-12-06 16:13 ringram74 Status feedback => new
2012-12-06 17:42 ringram74 Note Added: 0004601
2012-12-06 19:25 FlyingScotsman Note Added: 0004602
2012-12-06 20:39 Tomse Note Added: 0004603
2012-12-06 20:44 ringram74 Note Added: 0004604
2012-12-06 20:50 Tomse Note Added: 0004605
2012-12-06 20:51 FlyingScotsman Note Added: 0004606
2012-12-06 20:55 Tomse Note Added: 0004607
2012-12-07 19:44 ringram74 File Added: cleanvar.patch
2012-12-07 19:45 ringram74 Note Added: 0004610
2013-02-03 15:21 paulh Note Added: 0004665
2013-02-03 15:21 paulh Status new => confirmed
2013-02-03 15:21 paulh Category inbound email => plugins
2013-02-04 20:33 paulh Note Added: 0004692
2013-02-04 20:33 paulh Assigned To => paulh
2013-02-04 20:33 paulh Status confirmed => assigned
2013-02-04 20:33 paulh Fixed in Version => Current SVN
2013-02-04 20:35 paulh Status assigned => resolved
2013-07-06 17:19 ivan Target Version => 3.68


Copyright © 2000 - 2019 MantisBT Team
Powered by Mantis Bugtracker