[mantis] Fix broken patch
Gianluca Sforna
giallu at fedoraproject.org
Fri Mar 22 14:50:40 UTC 2013
commit 4198d2111b81e0866dc42f5c81f705cb3ea96151
Author: Gianluca Sforna <giallu at gmail.com>
Date: Fri Mar 22 15:50:20 2013 +0100
Fix broken patch
mantis-1.2.14-fix-CVE-2013-1883.patch | 67 ++++++++++++++------------------
mantis.spec | 2 +-
2 files changed, 30 insertions(+), 39 deletions(-)
---
diff --git a/mantis-1.2.14-fix-CVE-2013-1883.patch b/mantis-1.2.14-fix-CVE-2013-1883.patch
index c380cee..12e0d91 100644
--- a/mantis-1.2.14-fix-CVE-2013-1883.patch
+++ b/mantis-1.2.14-fix-CVE-2013-1883.patch
@@ -1,47 +1,38 @@
+commit d16988c3ca232a751c91702eb0331f929f56858c
+Author: Damien Regad <damien.regad at merckgroup.com>
+Date: Mon Mar 18 23:36:28 2013 +0100
+
+ Fix filter api issue with 'any condition' and text search
+
+ A filter combining some criteria and a text search with 'any condition'
+ results in a cartesian product, which has the potential to bring down
+ the site as the RDBMS eats up all available resources.
+
+ The root cause of this behavior is joining the bug_text table with a
+ from clause and setting the join's criteria in the query's where clause,
+ without taking consideration the operator's precedence (AND/OR).
+
+ This commit resolves the problem by using a JOIN clause instead, which
+ makes the query cleaner.
+
+ Fixes #15573
+
diff --git a/core/filter_api.php b/core/filter_api.php
-index a52598c..68911e9 100644
+index 55edd46..a52598c 100644
--- a/core/filter_api.php
+++ b/core/filter_api.php
-@@ -1092,7 +1092,6 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
+@@ -1995,11 +1995,10 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
- $t_project_where_clauses = array(
- "$t_project_table.enabled = " . db_param(),
-- "$t_project_table.id = $t_bug_table.project_id",
- );
- $t_where_params = array(
- 1,
-@@ -1101,8 +1100,13 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
- "$t_bug_table.*",
- );
-
-- $t_join_clauses = array();
-- $t_from_clauses = array();
-+ $t_from_clauses = array(
-+ $t_bug_table,
-+ );
-+
-+ $t_join_clauses = array(
-+ "JOIN $t_project_table ON $t_project_table.id = $t_bug_table.project_id",
-+ );
-
- // normalize the project filtering into an array $t_project_ids
- if( 'simple' == $t_view_type ) {
-@@ -1997,7 +2001,7 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
+ # add text query elements to arrays
if ( !$t_first ) {
- $t_join_clauses[] = "JOIN $t_bug_text_table ON $t_bug_table.bug_text_id = $t_bug_text_table.id";
- $t_join_clauses[] = "LEFT JOIN $t_bugnote_table ON $t_bug_table.id = $t_bugnote_table.bug_id";
-- $t_join_clauses[] = "LEFT JOIN $t_bugnote_text_table ON $t_bugnote_table.bugnote_text_id = $t_bugnote_text_table.id";
-+ $t_join_clauses[] = "JOIN $t_bugnote_text_table ON $t_bugnote_table.bugnote_text_id = $t_bugnote_text_table.id";
+- $t_from_clauses[] = "$t_bug_text_table";
+- $t_where_clauses[] = "$t_bug_table.bug_text_id = $t_bug_text_table.id";
++ $t_join_clauses[] = "JOIN $t_bug_text_table ON $t_bug_table.bug_text_id = $t_bug_text_table.id";
++ $t_join_clauses[] = "LEFT JOIN $t_bugnote_table ON $t_bug_table.id = $t_bugnote_table.bug_id";
++ $t_join_clauses[] = "LEFT JOIN $t_bugnote_text_table ON $t_bugnote_table.bugnote_text_id = $t_bugnote_text_table.id";
$t_where_clauses[] = $t_textsearch_where_clause;
+- $t_join_clauses[] = " LEFT JOIN $t_bugnote_table ON $t_bug_table.id = $t_bugnote_table.bug_id";
+- $t_join_clauses[] = " LEFT JOIN $t_bugnote_text_table ON $t_bugnote_table.bugnote_text_id = $t_bugnote_text_table.id";
}
}
-@@ -2012,9 +2016,6 @@ function filter_get_bug_rows( &$p_page_number, &$p_per_page, &$p_page_count, &$p
-
- log_event(LOG_FILTERING, 'Join operator : ' . $t_join_operator);
-- $t_from_clauses[] = $t_project_table;
-- $t_from_clauses[] = $t_bug_table;
--
- $t_query_clauses['select'] = $t_select_clauses;
- $t_query_clauses['from'] = $t_from_clauses;
- $t_query_clauses['join'] = $t_join_clauses;
diff --git a/mantis.spec b/mantis.spec
index c92b07e..513f9bf 100644
--- a/mantis.spec
+++ b/mantis.spec
@@ -70,7 +70,7 @@ This package contains configuration-files for Apache httpd 2.
%patch2 -p1
%patch3 -p1
%patch4 -p1
-%patch5 -p0
+%patch5 -p1
cp %{SOURCE1} ./doc/README.Fedora
rm -rf packages docbook tests
More information about the scm-commits
mailing list