Bug Hunting Session
Bug 120310 - Ambiguous error message returned when attempting to use certain special characters in field names
Summary: Ambiguous error message returned when attempting to use certain special chara...
Status: NEW
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Base (show other bugs)
Version:
(earliest affected)
6.0.6.2 release
Hardware: x86-64 (AMD64) All
: medium normal
Assignee: Not Assigned
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: Error-Messages
  Show dependency treegraph
 
Reported: 2018-10-04 12:20 UTC by elflng.libreoffice
Modified: 2018-12-06 16:33 UTC (History)
5 users (show)

See Also:
Crash report or crash signature:


Attachments
capture from fail (39.95 KB, image/png)
2018-10-04 12:21 UTC, elflng.libreoffice
Details
Screenshot showing field name containing "'" character (103.11 KB, image/png)
2018-10-05 09:51 UTC, Alex Thurgood
Details

Note You need to log in before you can comment on or make changes to this bug.
Description elflng.libreoffice 2018-10-04 12:20:11 UTC
Description:
Double and single quotes in field names for Base are neither removed nor sanitised - they give generic fail messages, where it is clear from the fail message that the quotes are preserved incorrectly. I would class this is as a severe SEVERE error.

Steps to Reproduce:
1. Put a single or double quote into a field name in Base (only one so it fails)
2. Try to save the table
3. Look at the quotes in the resulting error message
4. (Reason for putting only one - if more than one, it may succeed incorrectly and do Very Bad Things)

Actual Results:
Fail at best, incorrect table creation at medium, and significant security hole at worst, depending on backend implementation

Expected Results:
Input sanitisation or quotification


Reproducible: Always


User Profile Reset: No



Additional Info:
This should be considered an extremely serious bug, as depending on backend implementation, it could be exploited to leak info or worse.
Comment 1 elflng.libreoffice 2018-10-04 12:21:14 UTC
Created attachment 145374 [details]
capture from fail

capture from fail. look at how the quoting is incorrect. (the font issues are a separate bug that i already filed.)
Comment 2 Alex Thurgood 2018-10-05 09:48:33 UTC
@Elfling : 

1) I'm guessing that error message relates to an embedded hsqldb database ? Please confirm / deny.

2) Is this problem apparent in earlier versions of LibreOffice Base ?

WIth LO Version: 6.1.2.1
Build ID: 65905a128db06ba48db947242809d14d3f9a93fe
Threads CPU : 4; OS : Mac OS X 10.13.6; UI Render : par défaut; 
Locale : fr-FR (fr_FR.UTF-8); Calc: group threaded

I can't reproduce this, a field name containing a single quote mark in the string of characters allows the table to be saved.
Comment 3 Alex Thurgood 2018-10-05 09:51:14 UTC
Created attachment 145406 [details]
Screenshot showing field name containing "'" character

See for example the enclosed screenshot where the steps to reproduce in the bug post don't cause an issue
Comment 4 Alex Thurgood 2018-10-05 09:54:59 UTC
Possibly a Windows only bug ?
Comment 5 elflng.libreoffice 2018-10-05 10:04:35 UTC
Try with a single double quote - like i said, i depends on the backend interface.
Comment 6 Alex Thurgood 2018-10-08 07:06:36 UTC
If it depends on the backend, then the title and description on how to reproduce need to be adapted accordingly.
Comment 7 Alex Thurgood 2018-10-08 07:59:18 UTC
Testing with embedded firebird ODB file :

I can enter an apostrophe or single quote mark in a field name string and it will be saved.

If I attempt to enter a single "double-quote" mark in the field name, and then try to save the table, an error message is displayed:

Error code: 1

firebird_sdbc error:
*Dynamic SQL Error
*SQL error code = -104
*Token unknown - line 1, column 79
*" VARCHAR(100), PRIMARY KEY  ("
caused by
'isc_dsql_prepare'

The table can not be saved in this form.


Seems to me that this is working as designed.

Irrespective of the discussion on whether people should be using such special characters for naming of their fields in a db, what exactly is the problem ?

Seems to me that the problem is one of an ambiguous error message from the db engine (possibly truncated by LO) when the user actually attempts to do something not normally accepted as standard SQL.
Comment 8 Alex Thurgood 2018-10-08 09:49:11 UTC
Confirming based on test carried out with embedded firebird db
Comment 9 Julien Nabet 2018-10-10 20:25:02 UTC
On pc Debian x86-64 with master sources updated today.

I noticed this on console:
warn:connectivity.firebird:10019:10019:connectivity/source/drivers/firebird/Util.cxx:55: firebird_sdbc error:
*Dynamic SQL Error
*SQL error code = -104
*Token unknown - line 1, column 53
*" VARCHAR(100), PRIMARY KEY  ("
caused by
'isc_dsql_prepare'

In firebird::StatusVectorToString, a message with a length of 512 is defined so it seems is LO isn't the culprit of the truncation or I missed something.
Comment 10 Julien Nabet 2018-10-10 20:27:41 UTC
With hsqldb, the message is more complete but not much clearer:
SQL Status: 37000
Error code: -16

Wrong data type: T in statement [CREATE TABLE "Table1" ("id" INTEGER NOT NULL,"tes"t]
Comment 11 Alex Thurgood 2018-10-15 07:34:34 UTC
So, I would say that this is db engine implementation dependent and most db engines either don't let you use special characters, and as a result throw errors which may or may not be intelligible for the user - not really LO's fault then.

I'd be inclined to mark this as NOTOURBUG
Comment 12 Xisco Faulí 2018-10-16 15:54:20 UTC
> I'd be inclined to mark this as NOTOURBUG

@Julien Nabet, what do you think ?
Comment 13 Julien Nabet 2018-10-16 18:47:50 UTC
(In reply to Xisco Faulí from comment #12)
> > I'd be inclined to mark this as NOTOURBUG
> 
> @Julien Nabet, what do you think ?

Following my previous comment, I'd say NOTOURBUG too but let Lionel speak as the Base expert of LO.