Use sanitize_sql_like on search tokens (#35073).

Patch by Jens Krämer.

git-svn-id: http://svn.redmine.org/redmine/trunk@21230 e93f8b46-1217-0410-a6f0-8f06a7374b81

lib/plugins/acts_as_searchable/lib/acts_as_searchable.rb

@@ -155,7 +155,7 @@ module Redmine
           def search_tokens_condition(columns, tokens, all_words)
             token_clauses = columns.map {|column| "(#{search_token_match_statement(column)})"}
             sql = (['(' + token_clauses.join(' OR ') + ')'] * tokens.size).join(all_words ? ' AND ' : ' OR ')
-            [sql, * (tokens.collect {|w| "%#{w}%"} * token_clauses.size).sort]
+            [sql, * (tokens.collect {|w| "%#{ActiveRecord::Base.sanitize_sql_like w}%"} * token_clauses.size).sort]
           end
           private :search_tokens_condition
 

test/unit/search_test.rb

@@ -150,6 +150,30 @@ class SearchTest < ActiveSupport::TestCase
     assert_include issue, r
   end
 
+  def test_search_should_not_allow_like_injection
+    issue = Issue.generate!(:subject => "asdf")
+
+    r = Issue.search_results('as_f')
+    assert_not_include issue, r
+
+    r = Issue.search_results('as%f')
+    assert_not_include issue, r
+  end
+
+  def test_search_should_find_underscore
+    issue = Issue.generate!(:subject => "as_f")
+
+    r = Issue.search_results('as_f')
+    assert_include issue, r
+  end
+
+  def test_search_should_find_percent_sign
+    issue = Issue.generate!(:subject => "as%f")
+
+    r = Issue.search_results('as%f')
+    assert_include issue, r
+  end
+
   def test_search_should_be_case_insensitive_with_accented_characters
     unless sqlite?
       issue1 = Issue.generate!(:subject => "Special chars: ÖÖ")