Closed Bug 7233 Opened 26 years ago Closed 20 years ago

Editversions.cgi has a potential race resulting in duplicate versions

Categories

(Bugzilla :: Administration, task, P3)

2.10

Tracking

()

RESOLVED FIXED
Bugzilla 2.20

People

(Reporter: steveha, Assigned: LpSolit)

References

Details

Attachments

(1 file, 1 obsolete file)

By accident, I entered a product/version combination twice in the versions tables. The database ought to be set up in a way that guarantees that this cannot happen. (I'm not sure how to do this, since I am not a SQL guru. I believe that you could declare that the two columns together make a primary key, and that would do it.)
Status: NEW → ASSIGNED
Priority: P3 → P2
tara@tequilarista.org is the new owner of Bugzilla and Bonsai. (For details, see my posting in netscape.public.mozilla.webtools, news://news.mozilla.org/38F5D90D.F40E8C1A%40geocast.com .)
Assignee: terry → tara
Status: ASSIGNED → NEW
Chris, put your SQL hat on...
Assignee: tara → cyeh
actually you do this by creating an index that forces unique values on columns. i agree that this is a good thing to have, i can't think of any situation where it would be good to have multiple instances of product/version in the versions table. moving to assigned.
Status: NEW → ASSIGNED
made schema slightly more retentive by requiring unique on product name. editproducts.cgi and editversions.cgi both have checking to prevent duplicates.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → FIXED
Just double-checking here, because that doesn't sound right... what if you have more than one version of the same product? :) I have to have two or more rows in the table with the same product name in order to do that (they'd each have different version numbers).
oh dear. you're right. i obviously was _not_ thinking. I did a partial backout of the change...unique indexing is out, the not null change is still there. credited you in the comments for catching my idiocy.
Marking Verified.
Status: RESOLVED → VERIFIED
Why is this verified fixed? This is what's in checksetup.pl for the version table right now: $table{versions} = 'value tinytext, program varchar(64) not null'; I don't see any uniqueness in there. You can make both columns unique as a pair by grouping them in parenthesis in the definition. $table{versions} = 'value tinytext, program varchar(64) not null unique (value, program)'; What was backed out before is that the one column was made unique by itself, instead of doing it as a pair, so it wouldn't let you put more than one version on a product. This needs to be reopened.
Status: VERIFIED → REOPENED
Resolution: FIXED → ---
ugh. you can't index a blob type (tinytext). we'd need to change this to varchar(255) or something.
I assume the fix here is to set up a compound unique index.
QA Contact: matty
Whiteboard: 2.14
Whiteboard: 2.14 → 2.16
moving to real milestones...
Target Milestone: --- → Bugzilla 2.16
Whatever is done here should be duplicated for the milestones table I assume.
Priority: P2 → P3
Whiteboard: 2.16
Taking all of cyeh's Bugzilla bugs.
Assignee: Chris.Yeh → justdave
Status: REOPENED → NEW
*** Bug 97748 has been marked as a duplicate of this bug. ***
New product: bugzilla.
Component: Bugzilla → Administration
Product: Webtools → Bugzilla
Version: other → 2.10
this looks like it requires a schema change (changing a tinytext to a varchar(255) was suggested here). CCing a few of the people working on the xdb sql syntax for comment.
We are currently trying to wrap up Bugzilla 2.16. We are now close enough to release time that anything that wasn't already ranked at P1 isn't going to make the cut. Thus this is being retargetted at 2.18. If you strongly disagree with this retargetting, please comment, however, be aware that we only have about 2 weeks left to review and test anything at this point, and we intend to devote this time to the remaining bugs that were designated as release blockers.
Target Milestone: Bugzilla 2.16 → Bugzilla 2.18
And we should use real ids, too.
*** Bug 191745 has been marked as a duplicate of this bug. ***
Depends on: 153129
In 2.17.6, this seems to work..... If I add the same version twice, I get... "Adding new version The version 'a' already exists. Please press Back and try again."
Status: NEW → RESOLVED
Closed: 25 years ago21 years ago
Resolution: --- → WORKSFORME
Joel Peshkin, did you check whether there is actualy a unique index yet on the "versions" table ("values" column)? The editversions.cgi explicitly tries to do a select before inserting, but that is not atomic and does not guarantee uniqueness in race conditions (such as when two users are trying to do it, or if the user double-clicks the submit button).
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
The potential for a race caused by 2 users simultaneously adding versions is there. The double-click scenario is not very plausible. The other concern, mentioned in bug 191745, suggests that the database protect itself from users manually fiddling with it. It looks like the right thing to do is to either a) LOCK/UNLOCK around the test and the insert or b) Add a unique index and change the INSERT to INSERT IGNORE [[ At the same time, we should change the versions.value to a varchar(64) to match bugs.version ]] bbaetz -- versioncache is supposed to go away. Does that plan impact this decision??
Summary: versions rows should be forced to be unique → Editversions.cgi has a potential race resulting in duplicate versions
option (b) would seem to be preferable, since it is quite reasonable to enforce this type of constraint at the schema level. Note that changing versions.value from "tinytext" to "varchar(64)" is actually a necessary pre-requisite before creating a unique index on that column (as per comment #9)
See bug 153540. versioncache has nothing to do with versions, really
I'll take this one, when I port to my new administration architecture all the edit*.cgi should be consistent including on this issue.
Assignee: justdave → mattyt-bugzilla
Status: REOPENED → NEW
Not likely to make 2.18. Change it back if I'm wrong.
Target Milestone: Bugzilla 2.18 → Bugzilla 2.20
When this bug is fixed, I would suggest you consider making the size of the versions.value and milestones.value fields consistent. I would also note that according to the MySQL documenation (Section 11.4.3) TEXT columns stored in MyISAM tables can be indexed as of MySQL version 3.23.2, which is significantly older than what Bugzilla 2.18 minimally requires.
*** Bug 237926 has been marked as a duplicate of this bug. ***
Is it now fixed by the checkin of bug 190226?
(In reply to comment #29) > Is it now fixed by the checkin of bug 190226? Nope, this not fixed yet.
This bug has not been touched by its owner in over six months, even though it is targeted to 2.20, for which the freeze is 10 days away. Unsetting the target milestone, on the assumption that nobody is actually working on it or has any plans to soon. If you are the owner, and you plan to work on the bug, please give it a real target milestone. If you are the owner, and you do *not* plan to work on it, please reassign it to nobody@bugzilla.org or a .bugs component owner. If you are *anybody*, and you get this comment, and *you* plan to work on the bug, please reassign it to yourself if you have the ability.
Target Milestone: Bugzilla 2.20 → ---
Attached patch patch, v1 (obsolete) (deleted) — Splinter Review
First convert the 'value' field from tinytext to varchar(64), consistently with templates which allow 64 characters and bugs.version which is also defined as varchar(64). Then add an index to the 'versions' table.
Assignee: mattyt-bugzilla → LpSolit
Status: NEW → ASSIGNED
Attachment #182007 - Flags: review?(mkanat)
Comment on attachment 182007 [details] [diff] [review] patch, v1 Technically, in order for that UNIQUE constraint to fix this problem, value would have to be NOT NULL. If there are currently *any* null values in the "value" field, you are in for a very difficult problem.
Attachment #182007 - Flags: review?(mkanat) → review-
Attached patch patch, v2 (deleted) — Splinter Review
I don't see how a value could be NULL. The actual UI does not let you do that. So I simply added NOTNULL => 1.
Attachment #182007 - Attachment is obsolete: true
Attachment #182045 - Flags: review?(mkanat)
Comment on attachment 182045 [details] [diff] [review] patch, v2 OK, yeah, now this looks obviously correct.
Attachment #182045 - Flags: review?(mkanat) → review+
Flags: approval?
Target Milestone: --- → Bugzilla 2.20
Flags: approval? → approval+
Checking in checksetup.pl; /cvsroot/mozilla/webtools/bugzilla/checksetup.pl,v <-- checksetup.pl new revision: 1.401; previous revision: 1.400 done Checking in Bugzilla/DB/Schema.pm; /cvsroot/mozilla/webtools/bugzilla/Bugzilla/DB/Schema.pm,v <-- Schema.pm new revision: 1.29; previous revision: 1.28 done
Status: ASSIGNED → RESOLVED
Closed: 21 years ago20 years ago
Resolution: --- → FIXED
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: