View Issue Details

IDProjectCategoryView StatusLast Update
0001568SOGoWeb Address Bookpublic2016-12-09 15:47
Reportermra Assigned Toludovic  
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version1.3.11 
Fixed in Version3.2.5 
Summary0001568: Retrieving data from addressbook with '%'
Description

When searching an entry with the searchfield with *, this gives no hits. After trying '%' I got all entries.

The addressbook is stored in a mysql database ...

TagsNo tags attached.

Activities

Christian Mack

Christian Mack

2012-01-05 13:26

developer   ~0003257

And what is your problem?

Just use . to find everything, which isn't related to your backend.

mra

mra

2012-01-05 14:11

reporter   ~0003258

  • '%' isn't a common known joker for searching for addresses, but '*' is (User centric sight).
  • '%' is a SQL-Joker, which makes me hope for a SQL-Injection security hole ;-) (Security tester centric sight)

What do you mean by using "."?

Christian Mack

Christian Mack

2012-01-09 08:54

developer   ~0003262

Last edited: 2012-01-09 08:57

Sorry, didn't understand your request properly last time.
I thought you wanted to get all entries in the address book, but you wanted all matching entries for a wildcard pattern.

What I suggested above was to go to the address book in question and type a single "." character into the search field.
You will get a list sorted by "Name" of all available addresses in this address book.
It's not what you want to do.

(Also for global address books from LDAP the maximum amount of addresses listed is limited via SOGoLDAPQueryLimit.)

The '%' character isn't working for global address books in LDAP, but only for address books in either mysql or postgesql.
In LDAP you have to use '*' as a wildcard.
So you have to use different search patterns depending on the backend.

That's definitely not user friendly.

mra

mra

2012-01-09 09:14

reporter   ~0003263

:) Ok, my english is not really perfect ...

You will get a list sorted by "Name"
No, I didn't want any sorted list ... ;-)

And typing in a '.' shows the same list like '%'.

So you have to use different search
patterns depending on the backend.
That's definitely not user friendly.
Thats what I mean - the user is not interested in the differences between LDAP and SQL.

Summerized, in my opinion there are two problems:

  • first, higher prio, a possible security hole by using '%' in a database driven address book (SQL Injection) (Should be filtered, only '*' allowed in SQL addressbooks)

  • second, lower prio, the user "experience" by trying an asterisk, which gives no results. All people at our company tried '' at first, an when I told them about the percent '%' they looked a little bit astonished ("Ehm, why this?? I thought, i can use a ''??")

Maybe I produce only noise, I apologise ...

ludovic

ludovic

2016-12-09 15:47

administrator   ~0010977

340ddf0ae6cf6a7aeb16d7b77f237bee7bff16a3 contains other safe measures. Closing for now since after an audit of the code, things seem clean.

Issue History

Date Modified Username Field Change
2012-01-04 08:37 mra New Issue
2012-01-05 13:26 Christian Mack Note Added: 0003257
2012-01-05 14:11 mra Note Added: 0003258
2012-01-09 08:54 Christian Mack Note Added: 0003262
2012-01-09 08:57 Christian Mack Note Edited: 0003262
2012-01-09 09:14 mra Note Added: 0003263
2012-01-09 13:38 ludovic Status new => assigned
2012-01-09 13:38 ludovic Assigned To => ludovic
2016-12-09 15:47 ludovic Note Added: 0010977
2016-12-09 15:47 ludovic Status assigned => resolved
2016-12-09 15:47 ludovic Resolution open => fixed
2016-12-09 15:47 ludovic Fixed in Version => 3.2.5