09362: Bug in updatedb_helper leads to loss of attribute descriptions

This bug affects 1 person(s).

ID	Project	Category	View Status	Date Submitted	Last Update

09362	Bug reports	Other	public	2014-11-16 13:10	2014-11-23 23:42

Reporter	random1	Assigned To	c_schmitz
Priority	normal	Severity	partial_block
Status	closed	Resolution	fixed
Product Version	2.05+
Fixed in Version	2.05+

Summary	09362: Bug in updatedb_helper leads to loss of attribute descriptions
Description	application/helpers/update/updatedb_helper.php, function upgradeSurveys177() The part that is updating field attributedescriptions of table surveys is faulty. The line no. 1302 $sSurveyQuery = "SELECT sid FROM {{surveys}}"; should be $sSurveyQuery = "SELECT sid, attributedescriptions FROM {{surveys}}"; instead. Since attributedescriptions is missing from the current select statement, all attribute descriptions are set to an empty array (in the following lines).
Tags	No tags attached.

Bug heat	4
Complete LimeSurvey version number (& build)	8d1ea96be75975efcd0b22b05669
I will donate to the project if issue is resolved	No
Browser
Database type & version	Postgres
Server OS (if known)	Linux
Webserver software & version (if known)	Apache 2.4
PHP Version	5.6

User List	There are no users monitoring this issue.

c_schmitz 2014-11-16 18:26 administrator ~30994	Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=14626

c_schmitz 2014-11-16 18:26 administrator ~30995	Thank you very much!

random1 2014-11-17 14:24 reporter ~31004	After converting my attributedescriptions to JSON things still weren't working as expected so I looked further into the code and noticed that (at least) application/controllers/admin/tokens.php and application/models/Survey.php are still using unserialize/serialize to access attributedescriptions of table surveys. So I guess the conversion of field attributedescriptions in table surveys from a serialized PHP array to JSON in upgradeSurveys177 was a mistake altogether and that part should better be removed?

c_schmitz 2014-11-17 17:57 administrator ~31006	Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=14631

c_schmitz 2014-11-17 18:02 administrator ~31007	Well, due to the related issue we originally wanted to move to JSON instead of serialized data. Stuff/bugs happened (=someone reverted it to serialization) and now we have two formats out there. For now I have implemented a function that reads both formats but writes JSON. Although the original injection issue is still possible with this solution I don't want to create another DBVersion to fix this. With 2.06 this will be fixed for good.

c_schmitz 2014-11-23 23:42 administrator ~31070	Version 2.05 Build 141123 released.

LimeSurvey: master 8771146c 2014-11-16 18:26 c_schmitz Details Diff	Fixed issue 09362: Loss of attribute descriptions on update	Affected Issues 09362
	mod - application/helpers/update/updatedb_helper.php	Diff File
LimeSurvey: master 48d5e754 2014-11-17 17:57 c_schmitz Details Diff	Fixed issue 09362: Loss of attribute descriptions on update	Affected Issues 09362
	mod - application/controllers/admin/tokens.php	Diff File
	mod - application/helpers/common_helper.php	Diff File
	mod - application/models/Participant.php	Diff File
	mod - application/models/Survey.php	Diff File
	mod - application/models/Token.php	Diff File

Date Modified	Username	Field	Change
2014-11-16 13:10	random1	New Issue
2014-11-16 18:25	c_schmitz	Assigned To	=> c_schmitz
2014-11-16 18:25	c_schmitz	Status	new => assigned
2014-11-16 18:26	c_schmitz	Changeset attached	=> LimeSurvey master 8771146c
2014-11-16 18:26	c_schmitz	Note Added: 30994
2014-11-16 18:26	c_schmitz	Resolution	open => fixed
2014-11-16 18:26	c_schmitz	Note Added: 30995
2014-11-16 18:26	c_schmitz	Status	assigned => resolved
2014-11-16 18:26	c_schmitz	Fixed in Version	=> 2.05+
2014-11-17 14:24	random1	Note Added: 31004
2014-11-17 17:57	c_schmitz	Changeset attached	=> LimeSurvey master 48d5e754
2014-11-17 17:57	c_schmitz	Note Added: 31006
2014-11-17 18:02	c_schmitz	Note Added: 31007
2014-11-23 23:42	c_schmitz	Note Added: 31070
2014-11-23 23:42	c_schmitz	Status	resolved => closed