0001568: Retrieving data from addressbook with '%' - SOGo | BTS

ID	Project	Category	View Status	Date Submitted	Last Update

0001568	SOGo	Web Address Book	public	2012-01-04 08:37	2016-12-09 15:47

Reporter	mra	Assigned To	ludovic
Priority	normal	Severity	major	Reproducibility	always
Status	resolved	Resolution	fixed
Product Version	1.3.11
Fixed in Version	3.2.5

Summary	0001568: Retrieving data from addressbook with '%'
Description	When searching an entry with the searchfield with *, this gives no hits. After trying '%' I got all entries. The addressbook is stored in a mysql database ...
Tags	No tags attached.

Christian Mack 2012-01-05 13:26 developer ~0003257	And what is your problem? Just use . to find everything, which isn't related to your backend.

mra 2012-01-05 14:11 reporter ~0003258	'%' isn't a common known joker for searching for addresses, but '*' is (User centric sight). '%' is a SQL-Joker, which makes me hope for a SQL-Injection security hole ;-) (Security tester centric sight) What do you mean by using "."?

Christian Mack 2012-01-09 08:54 developer ~0003262 Last edited: 2012-01-09 08:57	Sorry, didn't understand your request properly last time. I thought you wanted to get all entries in the address book, but you wanted all matching entries for a wildcard pattern. What I suggested above was to go to the address book in question and type a single "." character into the search field. You will get a list sorted by "Name" of all available addresses in this address book. It's not what you want to do. (Also for global address books from LDAP the maximum amount of addresses listed is limited via SOGoLDAPQueryLimit.) The '%' character isn't working for global address books in LDAP, but only for address books in either mysql or postgesql. In LDAP you have to use '*' as a wildcard. So you have to use different search patterns depending on the backend. That's definitely not user friendly.

mra 2012-01-09 09:14 reporter ~0003263	:) Ok, my english is not really perfect ... You will get a list sorted by "Name" No, I didn't want any sorted list ... ;-) And typing in a '.' shows the same list like '%'. So you have to use different search patterns depending on the backend. That's definitely not user friendly. Thats what I mean - the user is not interested in the differences between LDAP and SQL. Summerized, in my opinion there are two problems: first, higher prio, a possible security hole by using '%' in a database driven address book (SQL Injection) (Should be filtered, only '' allowed in SQL addressbooks) second, lower prio, the user "experience" by trying an asterisk, which gives no results. All people at our company tried '' at first, an when I told them about the percent '%' they looked a little bit astonished ("Ehm, why this?? I thought, i can use a '*'??") Maybe I produce only noise, I apologise ...

ludovic 2016-12-09 15:47 administrator ~0010977	340ddf0ae6cf6a7aeb16d7b77f237bee7bff16a3 contains other safe measures. Closing for now since after an audit of the code, things seem clean.

Date Modified	Username	Field	Change
2012-01-04 08:37	mra	New Issue
2012-01-05 13:26	Christian Mack	Note Added: 0003257
2012-01-05 14:11	mra	Note Added: 0003258
2012-01-09 08:54	Christian Mack	Note Added: 0003262
2012-01-09 08:57	Christian Mack	Note Edited: 0003262
2012-01-09 09:14	mra	Note Added: 0003263
2012-01-09 13:38	ludovic	Status	new => assigned
2012-01-09 13:38	ludovic	Assigned To	=> ludovic
2016-12-09 15:47	ludovic	Note Added: 0010977
2016-12-09 15:47	ludovic	Status	assigned => resolved
2016-12-09 15:47	ludovic	Resolution	open => fixed
2016-12-09 15:47	ludovic	Fixed in Version	=> 3.2.5