From 63389330a0372fd52619f6efe7e01db155995ed1 Mon Sep 17 00:00:00 2001 From: pdontthink Date: Wed, 28 Dec 2011 02:59:31 +0000 Subject: [PATCH] Unify address book searches. See ChangeLog comments. Also, fixed bug wherein file backend wasn't escaping regular expression correctly. File based backend used to search all fields at once, concatenated by spaces, which 'worked', but is misleading and nothing like the other backends. git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@14242 7612ce4b-ef26-0410-bec9-ea0150e637f0 --- doc/ChangeLog | 3 +++ functions/abook_database.php | 8 ++++++-- functions/abook_local_file.php | 13 +++++++------ 3 files changed, 16 insertions(+), 8 deletions(-) diff --git a/doc/ChangeLog b/doc/ChangeLog index 40153a50..78a7820a 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -369,6 +369,9 @@ Version 1.5.2 - SVN - Fixed XSS problem with unsanitized style tags in messages. [CVE-2011-2023] - Always ensure that the Reply-To header is a full email address in outgoing messages + - Unified address book searches somewhat: file-backed address books now + search in each field individually; database-backed address books now + search in fields other than first/last name (nickname, email) Version 1.5.1 (branched on 2006-02-12) -------------------------------------- diff --git a/functions/abook_database.php b/functions/abook_database.php index c1cc0cd6..1d15f9c7 100644 --- a/functions/abook_database.php +++ b/functions/abook_database.php @@ -264,8 +264,12 @@ class abook_database extends addressbook_backend { $escape = 'ESCAPE \'' . $this->dbh->quoteString('\\') . '\''; $query = sprintf("SELECT * FROM %s WHERE owner='%s' AND " . - "(LOWER(firstname) LIKE '%s' %s OR LOWER(lastname) LIKE '%s' %s)", - $this->table, $this->owner, $expr, $escape, $expr, $escape); + "(LOWER(firstname) LIKE '%s' %s " . + "OR LOWER(lastname) LIKE '%s' %s " . + "OR LOWER(email) LIKE '%s' %s " . + "OR LOWER(nickname) LIKE '%s' %s)", + $this->table, $this->owner, $expr, $escape, $expr, $escape, + $expr, $escape, $expr, $escape); $res = $this->dbh->query($query); diff --git a/functions/abook_local_file.php b/functions/abook_local_file.php index 97838dcf..23063d3d 100644 --- a/functions/abook_local_file.php +++ b/functions/abook_local_file.php @@ -274,10 +274,9 @@ class abook_local_file extends addressbook_backend { if ($expr=='*' && ! $this->listing) return array(); - /* Make regexp from glob'ed expression - * May want to quote other special characters like (, ), -, [, ], etc. */ - $expr = str_replace('?', '.', $expr); - $expr = str_replace('*', '.*', $expr); + // Make regexp from glob'ed expression + $expr = preg_quote($expr); + $expr = str_replace(array('\\?', '\\*'), array('.', '.*'), $expr); $res = array(); if(!$this->open()) { @@ -295,13 +294,15 @@ class abook_local_file extends addressbook_backend { $oTemplate->display('footer.tpl'); die(); } else { - $line = join(' ', $row); /** * TODO: regexp search is supported only in local_file backend. * Do we check format of regexp or ignore errors? */ // errors on preg_match call are suppressed in order to prevent display of regexp compilation errors - if(@preg_match('/' . $expr . '/i', $line)) { + if (@preg_match('/' . $expr . '/i', $row[0]) // nickname + || @preg_match('/' . $expr . '/i', $row[1]) // firstname + || @preg_match('/' . $expr . '/i', $row[2]) // lastname + || @preg_match('/' . $expr . '/i', $row[3])) { // email array_push($res, array('nickname' => $row[0], 'name' => $this->fullname($row[1], $row[2]), 'firstname' => $row[1], -- 2.25.1