From patchwork Wed Feb 17 03:28:52 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eli Schwartz <eschwartz@archlinux.org>
X-Patchwork-Id: 1873
Return-Path: <aur-dev-bounces@lists.archlinux.org>
Delivered-To: patchwork@archlinux.org
Received: from mail.archlinux.org [95.216.189.61]
	by patchwork.archlinux.org with IMAP (fetchmail-6.4.16)
	for <fetchmail@localhost> (single-drop);
 Wed, 17 Feb 2021 03:29:26 +0000 (UTC)
Received: from mail.archlinux.org
	by mail.archlinux.org with LMTP
	id QnOZEZaNLGCRkAEAK+/4rw
	(envelope-from <aur-dev-bounces@lists.archlinux.org>)
	for <patchwork@archlinux.org>; Wed, 17 Feb 2021 03:29:26 +0000
Received: from luna.archlinux.org (luna.archlinux.org
 [IPv6:2a01:4f8:160:3033::2])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits)
 server-digest SHA256)
	(No client certificate requested)
	by mail.archlinux.org (Postfix) with ESMTPS id 9ABA23FE926;
	Wed, 17 Feb 2021 03:29:25 +0000 (UTC)
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
	by luna.archlinux.org (Postfix) with ESMTP id 4BD632C6F2;
	Wed, 17 Feb 2021 03:29:25 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=lists.archlinux.org;
	s=luna; t=1613532565;
	bh=2Ox8LX5eO349kxyPkSYon+xelH8NyFQiwAlqmQeWauo=;
	h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post:
	 List-Help:List-Subscribe:From:Reply-To:Cc;
	b=h0WtPJdmucbIuIkGk3nlV/ICO6g3qiCJ1GGswj3n63SEz3fQD3N6eE0eJVpzjNR/q
	 nQUWgN1H7e1xoL+epIUDq8aPS1G3NxQdEV6mFw+fEMP21Y0lvKXqTKSlxTdo1B4xTw
	 TRcU6CkUJoPES3myspTXGGq/p7byqubZ1tDTieb4hqVYfgyjPuKSoksLUz73uMSzF8
	 qCUByvfTGegDBsCAVwhEKp1feSxIfuIiMEq3Phhh127KL6JvhBfx8EFeeyPZhmxQhk
	 5Ys/7gaBv6snn8vZ0/7j21WWpOLGVXEmyM5+YRzq7MoG2zJr73+Se/SfPTJN2rRYHH
	 97mwdCy8W/JiQT4yrBFD8zAev3HTL/eCVC8/mLcmppvZ6fohpsZP3oRgEY1tQXOyCv
	 05ZKnXHUVxlW5WWdR2yDsAoYb5cQqzHlK9LLDJIvWWIMZpUZMyZf5Q0+j6rAe4IoT2
	 C1+7inVjqj7iEuMpSHcB/Qxpgkz4nMAaoUSqfilxWTRNGcHEckf8Nh/YHyiOB2Rmne
	 6IRRoduyF6PTWlpX+zPtcvT532UZxhGGNgrdhZ1oo1AsA1FwAn3OAlhZ6eadFrfKmI
	 EA6LqMNhBemsosy56StI4Oj5dQO4nAEoidSzwud4u5okECdnepn5QYpFNX35KjnQG2
	 vc/sVGkaq1g1G9R/BxKmZG6Q=
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
 by luna.archlinux.org (Postfix) with ESMTP id 4C4F12C6ED
 for <aur-dev@lists.archlinux.org>; Wed, 17 Feb 2021 03:29:21 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on luna.archlinux.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.4 required=5.0 tests=DKIMWL_WL_HIGH=-0.001,
 DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,
 RCVD_IN_DNSWL_MED=-2.3,RCVD_IN_MSPIKE_H4=0.001,RCVD_IN_MSPIKE_WL=0.001,
 T_DMARC_POLICY_NONE=0.01 autolearn=failed autolearn_force=no
 version=3.4.4
X-Spam-BL-Results: <dns:61.189.216.95.list.dnswl.org> [127.0.9.2]
 <dns:61.189.216.95.wl.mailspike.net> [127.0.0.19]
Received: from mail.archlinux.org (mail.archlinux.org [95.216.189.61])
 by luna.archlinux.org (Postfix) with ESMTPS
 for <aur-dev@lists.archlinux.org>; Wed, 17 Feb 2021 03:29:21 +0000 (UTC)
To: aur-dev@archlinux.org
Subject: [aur-dev][PATCH 1/3] fix broken SQL query that always failed
Date: Tue, 16 Feb 2021 22:28:52 -0500
Message-Id: <20210217032854.245535-1-eschwartz@archlinux.org>
X-Mailer: git-send-email 2.30.1
MIME-Version: 1.0
X-BeenThere: aur-dev@lists.archlinux.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Arch User Repository \(AUR\) Development"
 <aur-dev.lists.archlinux.org>
List-Unsubscribe: <https://lists.archlinux.org/options/aur-dev>,
 <mailto:aur-dev-request@lists.archlinux.org?subject=unsubscribe>
List-Archive: <https://lists.archlinux.org/pipermail/aur-dev/>
List-Post: <mailto:aur-dev@lists.archlinux.org>
List-Help: <mailto:aur-dev-request@lists.archlinux.org?subject=help>
List-Subscribe: <https://lists.archlinux.org/listinfo/aur-dev>,
 <mailto:aur-dev-request@lists.archlinux.org?subject=subscribe>
X-Patchwork-Original-From: Eli Schwartz via aur-dev
 <aur-dev@lists.archlinux.org>
From: Eli Schwartz <eschwartz@archlinux.org>
Reply-To: "Arch User Repository \(AUR\) Development"
 <aur-dev@lists.archlinux.org>
Cc: Eli Schwartz <eschwartz@archlinux.org>
Errors-To: aur-dev-bounces@lists.archlinux.org
Sender: "aur-dev" <aur-dev-bounces@lists.archlinux.org>
Authentication-Results: mail.archlinux.org;
	dkim=pass header.d=lists.archlinux.org header.s=luna header.b=h0WtPJdm;
	dmarc=pass (policy=none) header.from=archlinux.org;
	spf=pass (mail.archlinux.org: domain of aur-dev-bounces@lists.archlinux.org
 designates 2a01:4f8:160:3033::2 as permitted sender)
 smtp.mailfrom=aur-dev-bounces@lists.archlinux.org
X-Rspamd-Queue-Id: 9ABA23FE926
X-Spamd-Result: default: False [3.79 / 15.00];
	 HAS_REPLYTO(0.00)[aur-dev@lists.archlinux.org];
	 TO_DN_SOME(0.00)[];
	 R_MISSING_CHARSET(2.50)[];
	 R_SPF_ALLOW(-0.20)[+ip6:2a01:4f8:160:3033::2];
	 REPLYTO_ADDR_EQ_FROM(0.00)[];
	 BROKEN_CONTENT_TYPE(1.50)[];
	 RCVD_COUNT_THREE(0.00)[4];
	 MID_RHS_MATCH_FROMTLD(0.00)[];
	 DKIM_TRACE(0.00)[lists.archlinux.org:+];
	 RCPT_COUNT_TWO(0.00)[2];
	 DMARC_POLICY_ALLOW(-0.50)[archlinux.org,none];
	 MAILLIST(-0.20)[mailman];
	 MIME_TRACE(0.00)[0:+];
	 RCVD_TLS_LAST(0.00)[];
	 ASN(0.00)[asn:24940, ipnet:2a01:4f8::/29, country:DE];
	 FROM_NEQ_ENVFROM(0.00)[aur-dev@lists.archlinux.org,aur-dev-bounces@lists.archlinux.org];
	 ARC_NA(0.00)[];
	 R_DKIM_ALLOW(-0.20)[lists.archlinux.org:s=luna];
	 FROM_HAS_DN(0.00)[];
	 TAGGED_RCPT(0.00)[aur-dev];
	 MIME_GOOD(-0.10)[text/plain];
	 HAS_LIST_UNSUB(-0.01)[];
	 MID_RHS_MATCH_TO(1.00)[];
	 NEURAL_HAM(-0.00)[-1.000];
	 FORGED_SENDER_MAILLIST(0.00)[]
X-Rspamd-Server: mail.archlinux.org

Due to missing whitespace at the end of strings during joining, we ended
up with the query fragment

"DelTS IS NULLAND NOT PinnedTS"

which should be

"DelTS IS NULL AND NOT PinnedTS"

So the check for pinned comments > 5 likely always failed.

In php 7, a completely broken query that raises exceptions in the
database engine was silently ignored... in php 8, it raises

Uncaught PDOException: SQLSTATE[HY000]: General error: 1 near "PinnedTS": syntax error in <file>

and aborts the page building. End result: users with permission to pin
comments cannot see any comments, or indeed page content below the first
comment header

Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
---
 web/lib/pkgbasefuncs.inc.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/lib/pkgbasefuncs.inc.php b/web/lib/pkgbasefuncs.inc.php
index a4925891..4c8abba7 100644
--- a/web/lib/pkgbasefuncs.inc.php
+++ b/web/lib/pkgbasefuncs.inc.php
@@ -21,7 +21,7 @@ function pkgbase_comments_count($base_id, $include_deleted, $only_pinned=false)
 	$q = "SELECT COUNT(*) FROM PackageComments ";
 	$q.= "WHERE PackageBaseID = " . $base_id . " ";
 	if (!$include_deleted) {
-		$q.= "AND DelTS IS NULL";
+		$q.= "AND DelTS IS NULL ";
 	}
 	if ($only_pinned) {
 		$q.= "AND NOT PinnedTS = 0";