SiT! Bugs - SiT!
View Issue Details
0001822SiT!pluginspublic2012-12-05 22:012013-07-06 17:19
ringram74 
paulh 
normalcrashalways
resolvedopen 
LinuxCentOS6.3
3.67 LTS 
3.68Current SVN 
0001822: Incident creation from inbound email fails when subject contains quote
I'm not entirely sure if this is a problem just with the auto_create_tags plugin or if it's a problem with the create_incident() function, but when an inbound email is processed, the incident creation fails if there is a quote (') in the subject line. The debug log shows the following error for an email with "Leaky faucet in 4th floor men's room" as the subject:

2012-12-05T12:49:04-08:00 auto.php Application Warning [512] MySQL Query Error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's room%'' at line 1 (in line 605 of file auto_create_tags.php)
2012-12-05T12:49:04-08:00 auto.php Warning [2] mysql_num_rows() expects parameter 1 to be resource, boolean given (in line 608 of file auto_create_tags.php)
2012-12-05T12:49:04-08:00 auto.php Auto_create_tags - Duplicate check = 1(1 = No duplicates 0 = Duplicates found
2012-12-05T12:49:04-08:00 auto.php Application Error [256] MySQL Query Error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's room', '0', '132', '1', 'standard', '1', '' at line 1 (in line 87 of file incident.inc.php)
Context: [CONTEXT-BEGIN]
Array
(
    [title] => Leaky faucet in 4th floor men's room
    [contact] => 132
    [servicelevel] => standard
    [contract] =>
    [product] =>
    [software] => 2
    [priority] => 1
    [owner] => 0
    [status] => 1
    [productversion] =>
    [productservicepacks] =>
    [opened] => 1354740542
    [lastupdated] => 1354740542
    [now] => 1354740542
    [dbIncidents] => incidents
    [dbUpdates] => updates
    [sit] =>
    [sql] => INSERT INTO `incidents` (title, owner, contact, priority, servicelevel, status, maintenanceid, product, softwareid, productversion, productservicepacks, opened, lastupdated) VALUES ('Leaky faucet in 4th floor men's room', '0', '132', '1', 'standard', '1', '', '', '2', '', '', '1354740542', '1354740542')
    [result] =>
)

[CONTEXT-END]
----------
Send email to support inbox with a quote in the subject line
No tags attached.
patch cleanvar.patch (1,069) 2012-12-07 19:44
https://bugs.sitracker.org/file_download.php?file_id=213&type=bug
Issue History
2012-12-05 22:01ringram74New Issue
2012-12-06 08:37TomseNote Added: 0004597
2012-12-06 08:37TomseAssigned To => Tomse
2012-12-06 08:37TomseStatusnew => feedback
2012-12-06 08:37TomseAssigned ToTomse =>
2012-12-06 11:18ivanNote Added: 0004598
2012-12-06 11:18ivanSeverityminor => major
2012-12-06 11:19ivanNote Added: 0004599
2012-12-06 11:19ivanSeveritymajor => crash
2012-12-06 16:13ringram74Note Added: 0004600
2012-12-06 16:13ringram74Statusfeedback => new
2012-12-06 17:42ringram74Note Added: 0004601
2012-12-06 19:25FlyingScotsmanNote Added: 0004602
2012-12-06 20:39TomseNote Added: 0004603
2012-12-06 20:44ringram74Note Added: 0004604
2012-12-06 20:50TomseNote Added: 0004605
2012-12-06 20:51FlyingScotsmanNote Added: 0004606
2012-12-06 20:55TomseNote Added: 0004607
2012-12-07 19:44ringram74File Added: cleanvar.patch
2012-12-07 19:45ringram74Note Added: 0004610
2013-02-03 15:21paulhNote Added: 0004665
2013-02-03 15:21paulhStatusnew => confirmed
2013-02-03 15:21paulhCategoryinbound email => plugins
2013-02-04 20:33paulhNote Added: 0004692
2013-02-04 20:33paulhAssigned To => paulh
2013-02-04 20:33paulhStatusconfirmed => assigned
2013-02-04 20:33paulhFixed in Version => Current SVN
2013-02-04 20:35paulhStatusassigned => resolved
2013-07-06 17:19ivanTarget Version => 3.68

Notes
(0004597)
Tomse   
2012-12-06 08:37   
I cannot reproduce this on a system that doesn't have the mentioned plugins.

can you try and disable the plugin to see if that helps ?
(0004598)
ivan   
2012-12-06 11:18   
reclassifying this as Crash, assuming it can be confirmed.
(0004599)
ivan   
2012-12-06 11:19   
Oops, 'crash' not major.
(0004600)
ringram74   
2012-12-06 16:13   
Ok, after disabling the auto_create_tags plugin (sorry I didn't think to do that in the first place) incoming emails are turned into new incidents regardless of whether or not they have a quote in the subject line. Also, I dug around in the code a bit and I can almost fix this by adding a addslashes() around where the subject gets passed into the create_incident() function on line 300 of auto_create_tags.php. Unfortunately, if I do that, the subject of the response email that is sent to the customer ends up with a slash in it.
(0004601)
ringram74   
2012-12-06 17:42   
I just noticed that I get the slash in the subject line of the first response email after assigning it, anyway. Is that something that can be fixed or is it something that developers have decided is acceptable? Just curious.
(0004602)
FlyingScotsman   
2012-12-06 19:25   
This could be addressed by doing a stripslashes() call on any output that is retrieved by the script accessing the database.

Obviously adding slashes is a security feature, so it'll be stored in the database as men\'s. When being displayed a strip slashes would allow output of men's without compromising security.
(0004603)
Tomse   
2012-12-06 20:39   
Just to make clear
The plugin is a third-party developed plugin.
you can see the plugins that doesn't say "SiT Developers"
are third-party created plugins (including my own "Carsten Jensen")
http://sitracker.org/wiki/Plugins_Directory [^]

instead of addslashes() you should use mysql_real_escape_string() function
or the better SiT built-in function clean_var()

after using this, I don't think it's neccessary to use stripslashes().
(0004604)
ringram74   
2012-12-06 20:44   
Ok. Good to know.
The plugin page on the wiki indicates that problems with that plugin should be reported here. Is that not accurate?
(0004605)
Tomse   
2012-12-06 20:50   
bug reporting for that plugin here is fine, the developer has access to here, hence the notice. that wasn't my point though.
Lets stick to bug reporting here and move to the forum for discussions around plugins and off-topic subjects please.
(0004606)
FlyingScotsman   
2012-12-06 20:51   
I'm not sure what the difference is between 3.66 and 3.67p1 (I'm sure the main thing was a security fix to setup.php) but on 3.66 I just logged in as a contact and created an incident with title ' and description ' and the title is displayed correctly, the description however is not. The description is displayed as \' which means the slashes are not being pulled out like they are for the title.
(0004607)
Tomse   
2012-12-06 20:55   
@FlyingScotsman.

this is offtopic, please move to the forum or create a new bug report
(0004610)
ringram74   
2012-12-07 19:45   
I just uploaded a quick patch that will fix this issue. It just adds cleanvar(), as suggested by Tomse, around the $origsubject when it gets passed into the create_incident() function.
(0004665)
paulh   
2013-02-03 15:21   
Can reproduce this in the auto_create_tags plugin
(0004692)
paulh   
2013-02-04 20:33   
r7565 merges this patch, thanks for you assistence