Details
-
Bug
-
Resolution: Fixed
-
Major
-
1.0 B4
-
None
-
Windows XP, Firefox 1.0.4
Description
Entering a value with an apostrophe in it crashes the search screen. For example, do a search for "Paul's Test" and you'll get this error:
Error number 4001 in 4: Error while parsing velocity page Main.WebSearch Wrapped Exception: Invocation of method 'searchDocuments' in class com.xpn.xwiki.api.XWiki threw exception class com.xpn.xwiki.XWikiException : Error number 3223 in 3: Exception while searching documents with sql where doc.web like '%Paul's Test%' or doc.name like '%Paul's Test%' or doc.content like '%Paul's Test%' order by doc.date desc Wrapped Exception: unexpected char: '%' select distinct doc.web, doc.name, doc.date from com.xpn.xwiki.doc.XWikiDocument as doc where doc.web like '%Paul's Test%' or doc.name like '%Paul's Test%' or doc.content like '%Paul's Test%' order by doc.date desc?
The input values should have apostrophes escaped to double apostrophes (so the query would read " ... or doc.name like '%Paul''s Test%' ... "). Otherwise an attacker could send a SQL fragment in the input; there is potential for a destructive update there.