Description: Double and single quotes in field names for Base are neither removed nor sanitised - they give generic fail messages, where it is clear from the fail message that the quotes are preserved incorrectly. I would class this is as a severe SEVERE error. Steps to Reproduce: 1. Put a single or double quote into a field name in Base (only one so it fails) 2. Try to save the table 3. Look at the quotes in the resulting error message 4. (Reason for putting only one - if more than one, it may succeed incorrectly and do Very Bad Things) Actual Results: Fail at best, incorrect table creation at medium, and significant security hole at worst, depending on backend implementation Expected Results: Input sanitisation or quotification Reproducible: Always User Profile Reset: No Additional Info: This should be considered an extremely serious bug, as depending on backend implementation, it could be exploited to leak info or worse.
Created attachment 145374 [details] capture from fail capture from fail. look at how the quoting is incorrect. (the font issues are a separate bug that i already filed.)
@Elfling : 1) I'm guessing that error message relates to an embedded hsqldb database ? Please confirm / deny. 2) Is this problem apparent in earlier versions of LibreOffice Base ? WIth LO Version: 6.1.2.1 Build ID: 65905a128db06ba48db947242809d14d3f9a93fe Threads CPU : 4; OS : Mac OS X 10.13.6; UI Render : par défaut; Locale : fr-FR (fr_FR.UTF-8); Calc: group threaded I can't reproduce this, a field name containing a single quote mark in the string of characters allows the table to be saved.
Created attachment 145406 [details] Screenshot showing field name containing "'" character See for example the enclosed screenshot where the steps to reproduce in the bug post don't cause an issue
Possibly a Windows only bug ?
Try with a single double quote - like i said, i depends on the backend interface.
If it depends on the backend, then the title and description on how to reproduce need to be adapted accordingly.
Testing with embedded firebird ODB file : I can enter an apostrophe or single quote mark in a field name string and it will be saved. If I attempt to enter a single "double-quote" mark in the field name, and then try to save the table, an error message is displayed: Error code: 1 firebird_sdbc error: *Dynamic SQL Error *SQL error code = -104 *Token unknown - line 1, column 79 *" VARCHAR(100), PRIMARY KEY (" caused by 'isc_dsql_prepare' The table can not be saved in this form. Seems to me that this is working as designed. Irrespective of the discussion on whether people should be using such special characters for naming of their fields in a db, what exactly is the problem ? Seems to me that the problem is one of an ambiguous error message from the db engine (possibly truncated by LO) when the user actually attempts to do something not normally accepted as standard SQL.
Confirming based on test carried out with embedded firebird db
On pc Debian x86-64 with master sources updated today. I noticed this on console: warn:connectivity.firebird:10019:10019:connectivity/source/drivers/firebird/Util.cxx:55: firebird_sdbc error: *Dynamic SQL Error *SQL error code = -104 *Token unknown - line 1, column 53 *" VARCHAR(100), PRIMARY KEY (" caused by 'isc_dsql_prepare' In firebird::StatusVectorToString, a message with a length of 512 is defined so it seems is LO isn't the culprit of the truncation or I missed something.
With hsqldb, the message is more complete but not much clearer: SQL Status: 37000 Error code: -16 Wrong data type: T in statement [CREATE TABLE "Table1" ("id" INTEGER NOT NULL,"tes"t]
So, I would say that this is db engine implementation dependent and most db engines either don't let you use special characters, and as a result throw errors which may or may not be intelligible for the user - not really LO's fault then. I'd be inclined to mark this as NOTOURBUG
> I'd be inclined to mark this as NOTOURBUG @Julien Nabet, what do you think ?
(In reply to Xisco Faulí from comment #12) > > I'd be inclined to mark this as NOTOURBUG > > @Julien Nabet, what do you think ? Following my previous comment, I'd say NOTOURBUG too but let Lionel speak as the Base expert of LO.
Dear elflng.libreoffice, To make sure we're focusing on the bugs that affect our users today, LibreOffice QA is asking bug reporters and confirmers to retest open, confirmed bugs which have not been touched for over a year. There have been thousands of bug fixes and commits since anyone checked on this bug report. During that time, it's possible that the bug has been fixed, or the details of the problem have changed. We'd really appreciate your help in getting confirmation that the bug is still present. If you have time, please do the following: Test to see if the bug is still present with the latest version of LibreOffice from https://www.libreoffice.org/download/ If the bug is present, please leave a comment that includes the information from Help - About LibreOffice. If the bug is NOT present, please set the bug's Status field to RESOLVED-WORKSFORME and leave a comment that includes the information from Help - About LibreOffice. Please DO NOT Update the version field Reply via email (please reply directly on the bug tracker) Set the bug's Status field to RESOLVED - FIXED (this status has a particular meaning that is not appropriate in this case) If you want to do more to help you can test to see if your issue is a REGRESSION. To do so: 1. Download and install oldest version of LibreOffice (usually 3.3 unless your bug pertains to a feature added after 3.3) from http://downloadarchive.documentfoundation.org/libreoffice/old/ 2. Test your bug 3. Leave a comment with your results. 4a. If the bug was present with 3.3 - set version to 'inherited from OOo'; 4b. If the bug was not present in 3.3 - add 'regression' to keyword Feel free to come ask questions or to say hello in our QA chat: https://kiwiirc.com/nextclient/irc.freenode.net/#libreoffice-qa Thank you for helping us make LibreOffice even better for everyone! Warm Regards, QA Team MassPing-UntouchedBug
Dear elflng.libreoffice, To make sure we're focusing on the bugs that affect our users today, LibreOffice QA is asking bug reporters and confirmers to retest open, confirmed bugs which have not been touched for over a year. There have been thousands of bug fixes and commits since anyone checked on this bug report. During that time, it's possible that the bug has been fixed, or the details of the problem have changed. We'd really appreciate your help in getting confirmation that the bug is still present. If you have time, please do the following: Test to see if the bug is still present with the latest version of LibreOffice from https://www.libreoffice.org/download/ If the bug is present, please leave a comment that includes the information from Help - About LibreOffice. If the bug is NOT present, please set the bug's Status field to RESOLVED-WORKSFORME and leave a comment that includes the information from Help - About LibreOffice. Please DO NOT Update the version field Reply via email (please reply directly on the bug tracker) Set the bug's Status field to RESOLVED - FIXED (this status has a particular meaning that is not appropriate in this case) If you want to do more to help you can test to see if your issue is a REGRESSION. To do so: 1. Download and install oldest version of LibreOffice (usually 3.3 unless your bug pertains to a feature added after 3.3) from https://downloadarchive.documentfoundation.org/libreoffice/old/ 2. Test your bug 3. Leave a comment with your results. 4a. If the bug was present with 3.3 - set version to 'inherited from OOo'; 4b. If the bug was not present in 3.3 - add 'regression' to keyword Feel free to come ask questions or to say hello in our QA chat: https://web.libera.chat/?settings=#libreoffice-qa Thank you for helping us make LibreOffice even better for everyone! Warm Regards, QA Team MassPing-UntouchedBug