f_unaccent single quote fullText tsquery sql injection

Description

f_unaccent converts these other single quotes into the regular single quote:
<code>
'
ŉ
'
‛
′
＇
<code>
This causes sql injection errors in the full text tsquery, see https://folio-org.atlassian.net/browse/BF-163#icft=BF-163 for an example.

CSP Request Details

None

CSP Rejection Details

None

Potential Workaround

None

Linked issues

blocks

UIOR-483

Orders: Can't filter on 'reason for closure'

relates to

RMB-432

fulltext: word splitting and punctuation removal

FOLIO-2402

platform-related features and fixes for mod-inv-stor 18.2.1

Checklist

hide

TestRail: Results

Activity

Show:

Done

Details

Assignee

Julian Ladisch

Reporter

Julian Ladisch

Labels

back-endplatform-backlogq4-2019-bugfixq4-2019-needs-bugfest-retestsecurity

Priority

Story Points

Sprint

None

Development Team

Core: Platform

Fix versions

29.1.3

29.2.0

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs

Created December 16, 2019 at 1:25 PM

Updated January 3, 2020 at 5:39 PM

Resolved December 18, 2019 at 10:49 AM

Configure

TestRail: Cases

TestRail: Runs

f_unaccent single quote fullText tsquery sql injection

Description

CSP Request Details

CSP Rejection Details

Potential Workaround

Linked issues

blocks

relates to

Checklist

TestRail: Results

Activity

Details

Assignee

Reporter

Labels

Priority

Story Points

Sprint

Development Team

Fix versions

TestRail: Cases

TestRail: Runs

Flag notifications

Something's gone wrong