Invalid characters crash search

Moderator: GZDoom Developers

Accensus
Posts: 2383
Joined: Thu Feb 11, 2016 9:59 am

Invalid characters crash search

Post by Accensus »

Image

I don't know what more info I could give.
ZzZombo
Posts: 315
Joined: Mon Jul 16, 2012 2:02 am

Re: Invalid characters crash search

Post by ZzZombo »

Is that a SQL injection attack possibility I wonder?
yum13241
Posts: 779
Joined: Mon May 10, 2021 8:08 pm
Preferred Pronouns: He/Him
Operating System Version (Optional): EndeavorOS (basically Arch)
Graphics Processor: Intel with Vulkan/Metal Support
Contact:

Re: Invalid characters crash search

Post by yum13241 »

DROP TABLE anyone?

Shouldn't database input sanitation be a bit more widespread?

Image

You can always count on XKCD.


Also, quoting strings with single quotes is atrocious. Just hold SHIFT already, it's not that hard.
User avatar
wildweasel
Posts: 21706
Joined: Tue Jul 15, 2003 7:33 pm
Preferred Pronouns: He/Him
Operating System Version (Optional): A lot of them
Graphics Processor: Not Listed
Contact:

Re: Invalid characters crash search

Post by wildweasel »

What kind of invalid characters are you trying to use?
User avatar
Xeotroid
Posts: 436
Joined: Sat Jun 23, 2012 7:44 am
Graphics Processor: nVidia with Vulkan support
Location: Czech Rep.

Re: Invalid characters crash search

Post by Xeotroid »

Just searching for "(test", sans quotes, causes an error.
User avatar
Graf Zahl
Lead GZDoom+Raze Developer
Lead GZDoom+Raze Developer
Posts: 49053
Joined: Sat Jul 19, 2003 10:19 am
Location: Germany

Re: Invalid characters crash search

Post by Graf Zahl »

PhpBB's search is totally broken anyway with its non-configurable word substitution and rejection of short words. I'm not really surprised that it chokes on some input.
ZzZombo
Posts: 315
Joined: Mon Jul 16, 2012 2:02 am

Re: Invalid characters crash search

Post by ZzZombo »

After my testing I conclude it doesn't seem to be a real vulnerability, although to be really sure an actual infosec professional should be asked. It appears that user input at the point of crash is used as https://www.postgresql.org/docs/current ... PE-TSQUERY rather than a plain string that could cause harm.
Professor Hastig
Posts: 225
Joined: Mon Jan 09, 2023 2:02 am
Graphics Processor: nVidia (Modern GZDoom)

Re: Invalid characters crash search

Post by Professor Hastig »

Do I understand the linked page correctly that this is the mostly non-functioning word substitution thing Graf was talking about which often makes forum search such a major pain in the ass?
Post Reply

Return to “ZDoom.org Bugs”