206990 – "My bugs" query doesn't work when the user name has a plus ('+') sign.

Bug 206990 - "My bugs" query doesn't work when the user name has a plus ('+') sign.

Summary: "My bugs" query doesn't work when the user name has a plus ('+') sign.

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Bugzilla
Classification:	Community
Component:	Bugzilla General
Sub Component:
Version:	2.18
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Bernd Groh
QA Contact:	David Lawrence
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-09-18 17:07 UTC by Håvard Wigtil
Modified:	2014-06-18 08:21 UTC (History)
CC List:	1 user (show)
Fixed In Version:	2.18
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-09-18 19:18:16 UTC
Embargoed:

Attachments	(Terms of Use)

Description Håvard Wigtil 2006-09-18 17:07:37 UTC

The user name in the "My bugs" query isn't escaped, so with my user name
(havardw+bugzilla) I get the message "no user havardw bugzilla"
(note the space in the user name!) when I run the query.

The + is not escaped in the URL, it reads
https://bugzilla.redhat.com/bugzilla/buglist.cgi?bug_status=NEW&bug_status=VERIFIED&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=NEEDINFO&bug_status=MODIFIED&bug_status=ON_DEV&bug_status=QA_READY&bug_status=ON_QA&bug_status=FAILS_QA&bug_status=NEEDINFO_REPORTER&bug_status=RELEASE_PENDING&bug_status=POST&email1=havardw+bugzilla%40pvv.org&emailtype1=exact&emailassigned_to1=1&emailreporter1=1&emailcc1=1
when it should be 
https://bugzilla.redhat.com/bugzilla/buglist.cgi?bug_status=NEW&bug_status=VERIFIED&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=NEEDINFO&bug_status=MODIFIED&bug_status=ON_DEV&bug_status=QA_READY&bug_status=ON_QA&bug_status=FAILS_QA&bug_status=NEEDINFO_REPORTER&bug_status=RELEASE_PENDING&bug_status=POST&email1=havardw%2bbugzilla%40pvv.org&emailtype1=exact&emailassigned_to1=1&emailreporter1=1&emailcc1=1

Mozilla Bugzilla (version 2.20+) does not have this problem. See bug 164938 for
a related bug.

Comment 1 David Lawrence 2006-09-18 19:18:16 UTC

Problem is that the username is filtered in the template through the url_quote()
subroutine before being inserted in the URL. The code looks like this for
upstream Bugzilla's CVS tip:

sub url_decode {
    my ($todecode) = (@_);
    $todecode =~ tr/+/ /;       # pluses become spaces
    $todecode =~ s/%([0-9a-fA-F]{2})/pack("c",hex($1))/ge;
    return $todecode;
}

So I find it difficult to believe that this problem does not also occur on
version 2.20+. Our version of url_quote() is different since we are using an
older version (2.18) and plus I think RH has made some of it's own changes.

# This orignally came from CGI.pm, by Lincoln D. Stein
sub url_quote {
    my ($toencode) = (@_);
    $toencode =~ s/([^a-zA-Z0-9_\-.%;&?\/\\:\+=~-])/uc sprintf("%%%02x",ord($1))/eg;
    return $toencode;
}

I am going to remove our exclusion of the + symbol and see what negative side
effects occur if any. It may have been put there for a reason some time ago but
I am not aware of why. Please reopn if this does not fix for you.

Dave

Comment 2 Håvard Wigtil 2006-09-19 07:19:47 UTC

Works for me now, thank you for the fix.

Note You need to log in before you can comment on or make changes to this bug.