in search and filters: escape user entered subview name

Bug #567172 reported by André Ventura on 2010-04-20
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
synaptic (Ubuntu)
Medium
Jean-Baptiste Lallement
Lucid
Medium
Unassigned

Bug Description

A user can enter arbitrary HTML (but limited by TreeModel capacities) in subview names when adding a subview.
Affected subviews are 'standard search', 'custom filters'

Ubuntu Lucid
synaptic 0.63.1ubuntu6

When using a '<' character in a search keyword there's a new "All" at the left column.

TEST CASE:
1. open synaptic in lucid
2. press ctrl-f (or click on the search button in the toolbar)
3. type "<xx" (without the " but with the <
4. verify that on the left in "Search Results" pane no "<" is displayed

5. install synaptic from lucid-proposed
6. repeat step 2,3
7. verify that this time there is a entry with "<xx"

Related branches

Jean-Baptiste Lallement (jibel) wrote :

Thanks for your report.

Could you please describe the detailed steps to reproduce this issue ? Thanks.

Changed in synaptic (Ubuntu):
status: New → Incomplete
André Ventura (afv) wrote :

Open synaptic, click Search, write a keyword with a '<' character and search for it. At the left column will appear one more "All" filter.

Jean-Baptiste Lallement (jibel) wrote :

I was trying the quicksearch. I can reproduce. the '<' is interpreted as the start of a HTML tag.
setting to triage/low

Changed in synaptic (Ubuntu):
importance: Undecided → Low
status: Incomplete → Triaged
summary: - Wrong behavior when using '<' character in search keywords
+ in search and filters: escape user entered subview name
Changed in synaptic (Ubuntu):
assignee: nobody → Jean-Baptiste Lallement (jibel)
status: Triaged → In Progress
importance: Low → Medium
description: updated
Jean-Baptiste Lallement (jibel) wrote :

committed to my branch r1767

Changed in synaptic (Ubuntu):
status: In Progress → Fix Committed
Michael Vogt (mvo) on 2010-05-04
description: updated
Changed in synaptic (Ubuntu Lucid):
importance: Undecided → Medium
milestone: none → lucid-updates
status: New → Confirmed

Accepted synaptic into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in synaptic (Ubuntu Lucid):
status: Confirmed → Fix Committed
tags: added: verification-needed
Fabio Marconi (fabiomarconi) wrote :

Synaptic 0.63.1ubuntu7 from -proposed
Verified: OK

André Ventura (afv) wrote :

Fixed in 0.63.1ubuntu7. Thank you.

Michael Vogt (mvo) wrote :

Two positive reports, setting to verification-done. Many thanks for the testing!

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package synaptic - 0.63.1ubuntu7

---------------
synaptic (0.63.1ubuntu7) lucid-proposed; urgency=low

  [ Michael Vogt ]
  * common/rpackageview.cc:
    - silence debug output (thanks to Bob Huffman)

  [ Jean-Baptiste Lallement ]
  * gtk/rgmainwindow.cc, gtk/rgutils.{cc,h}:
    - un/escape markup when getting/setting subviews name to avoid markup
      insertion in GtkTree items (LP: #567172)
  * gtk/rgmainwindow.cc:
    - fix force version. regression over beta2 (LP: #568925)
  * gtk/rgmainwindow.cc:
    - fix double-click doesn't unmark a previously marked for install/upgrade
      package. regression over beta2 (LP: #566779)
 -- Michael Vogt <email address hidden> Tue, 04 May 2010 17:10:50 +0200

Changed in synaptic (Ubuntu Lucid):
status: Fix Committed → Fix Released
Martin Pitt (pitti) wrote :

Copied to maverick.

Changed in synaptic (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers