From 4bf5c452eb28ed60a89fc0e93e1f939a00cf8f91 Mon Sep 17 00:00:00 2001 From: Andre Klapper Date: Tue, 21 May 2024 18:46:31 +0200 Subject: [PATCH] Improve error passing task IDs as URL parameter in invalid format Summary: Maniphest expects the values of the `ids` URL parameter to be integers. Example: http://phorge.localhost/maniphest/?ids=1,2,3,4 to show a list of tasks with those IDs. When passing monograms instead (`T` prefix, like `T123` instead of `123`), a cryptic message `Expected a numeric scalar or null for %Ld conversion` is shown. Thus check if `$this->taskIDs` consists of integers only; if not throw a `PhutilSearchQueryCompilerSyntaxException` with an explanatory error message. Closes T15838 Test Plan: Go to http://phorge.localhost/maniphest/?ids=T1,T2,T3,T4 before and after applying the patch. Reviewers: O1 Blessed Committers, avivey Reviewed By: O1 Blessed Committers, avivey Subscribers: avivey, tobiaswiese, valerio.bozzolan, Matthew, Cigaryno Maniphest Tasks: T15838 Differential Revision: https://we.phorge.it/D25669 --- src/applications/maniphest/query/ManiphestTaskQuery.php | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/applications/maniphest/query/ManiphestTaskQuery.php b/src/applications/maniphest/query/ManiphestTaskQuery.php index c206bd6599..7947981ec7 100644 --- a/src/applications/maniphest/query/ManiphestTaskQuery.php +++ b/src/applications/maniphest/query/ManiphestTaskQuery.php @@ -358,6 +358,10 @@ final class ManiphestTaskQuery extends PhabricatorCursorPagedPolicyAwareQuery { $where[] = $this->buildOwnerWhereClause($conn); if ($this->taskIDs !== null) { + if (!ctype_digit(implode('', $this->taskIDs))) { + throw new PhutilSearchQueryCompilerSyntaxException( + pht('Task IDs must be integer numbers.')); + } $where[] = qsprintf( $conn, 'task.id in (%Ld)',