You are viewing limited content. For full access, please sign in.

Discussion

Discussion

Feature Request - Escape multiple " characters in Search within current folder

Laserfiche Cloud
Updated May 24, 2022
posted on May 23, 2022 Show version history

The search within folder will escape a single " character, but folders allow for using more than one in the name and the rest are not escaped being injected into the search syntax and breaking the ability to return any results

 

Here is an example where I can inject another search query by naming a folder like this, now I get all results in the entire repository with the letter a in the name if I only run a search within this folder. Not that it is a security issue since you still need to rights to see what you search for.

"New Folder "} | {LF:name="*a*", Type="DFS

0 0
replied on May 23, 2022

Where are you using the search syntax?

In the client, escaping a double quote character involves doubling them up similar to how you would escape single quotes in MS SQL.

I tested with the following folder and it worked as expected.

With the following syntax to search within that folder

{LF:LOOKIN="TestRepo\""Test""", SUBFOLDERS=0}

0 0
View 1 previous reply
replied on May 23, 2022 Show version history

I am not using any syntax, just selecting the folder with multiple quotes in the name and trying to search within folder, the syntax it generates is injected and fails

0 0
replied on May 23, 2022

What's the folder name?

I just tried again with the following folder name and it worked so it might be a bug in the Cloud version or something.

0 0
replied on May 24, 2022

It might be cloud only, having more than one " character like that will break it and the example folder name will inject an entirely different search: 

"New Folder "} | {LF:name="*a*", Type="DFS

0 0
replied on May 24, 2022

Yes, this seems to be a bug. It's interesting that it looks like we do it correctly in the "within selected folder" case, but not the "within current folder" case. I've filed this as bug #379350.

2 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...