![](https://seccdn.libravatar.org/avatar/3035b38ff33cf86f480bb169b8500b80.jpg?s=120&d=mm&r=g)
https://bugzilla.novell.com/show_bug.cgi?id=723683 https://bugzilla.novell.com/show_bug.cgi?id=723683#c0 Summary: OBS review comments with control characters break request system Classification: Internal Novell Products Product: openSUSE Build Service Version: 2.1 Platform: Other OS/Version: openSUSE 11.4 Status: NEW Severity: Major Priority: P5 - None Component: backend AssignedTo: mls@suse.com ReportedBy: david@dgreaves.com QAContact: adrian@suse.com Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:5.0) Gecko/20100101 Firefox/5.0 Iceweasel/5.0 If a control char like ^[ gets into an osc review comment then OBS will 404 it when trying to access the request. This happened when we used a command to populate a review comment and it threw some screen colour codes into the review. Reproducible: Always Steps to Reproduce: 1. osc review add -U $USER -m"Here is a message with_"$'\x0b' $ID 2. osc rq show $ID Actual Results: Server returned an error: HTTP Error 404: Not Found no such request '2100' Expected Results: Rejected or cleaned review text. I prepared this patch for Structured.pm in src/backend/XML # Prepare a table of forbidden control codes http://www.w3.org/TR/REC-xml/#charsets # Control characters are actually only permitted in XML1.1 as character references : # http://www.w3.org/TR/xml11/#dt-charref our %escapes, $XML_forbidden; for my $c (0x01..0x1F) { next if $c == 0x9 or $c == 0xA or $c == 0xD; $escapes{chr($c)} = sprintf("%02X;", $c); $XML_forbidden .= chr($c); } sub _escape { my ($d) = @_; $d =~ s/&/&/sg; $d =~ s/</sg; $d =~ s/>/>/sg; $d =~ s/"/"/sg; $d =~ s/$XML_forbidden/$escapes{$1}/sg; return $d; } But it won't work because the expat parser doesn't understand XX; entities. Doing an _unescape before calling expat has the same problem as just reading the raw control codes - expat fails and nothing is read. The solution I used is to filter them: # Prepare a table of forbidden control codes http://www.w3.org/TR/REC-xml/#charsets our $XML_forbidden; for my $c (0x01..0x1F) { next if $c == 0x9 or $c == 0xA or $c == 0xD; $XML_forbidden .= chr($c); } sub _escape { my ($d) = @_; $d =~ s/&/&/sg; $d =~ s/</sg; $d =~ s/>/>/sg; $d =~ s/"/"/sg; $d =~ s/([$XML_forbidden])//sg; return $d; } -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.