Use sanitize_sql_like on search tokens (#35073).

Patch by Jens Krämer.

git-svn-id: http://svn.redmine.org/redmine/trunk@21230 e93f8b46-1217-0410-a6f0-8f06a7374b81

1 files changed, 24 insertions, 0 deletions

diff --git a/test/unit/search_test.rb b/test/unit/search_test.rb
index 532dff299..ae83ed28a 100644
--- a/test/unit/search_test.rb
+++ b/test/unit/search_test.rb
@@ -150,6 +150,30 @@ class SearchTest < ActiveSupport::TestCase
     assert_include issue, r
   end
 
+  def test_search_should_not_allow_like_injection
+    issue = Issue.generate!(:subject => "asdf")
+
+    r = Issue.search_results('as_f')
+    assert_not_include issue, r
+
+    r = Issue.search_results('as%f')
+    assert_not_include issue, r
+  end
+
+  def test_search_should_find_underscore
+    issue = Issue.generate!(:subject => "as_f")
+
+    r = Issue.search_results('as_f')
+    assert_include issue, r
+  end
+
+  def test_search_should_find_percent_sign
+    issue = Issue.generate!(:subject => "as%f")
+
+    r = Issue.search_results('as%f')
+    assert_include issue, r
+  end
+
   def test_search_should_be_case_insensitive_with_accented_characters
     unless sqlite?
       issue1 = Issue.generate!(:subject => "Special chars: ÖÖ")