Details
-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
3.3.3
-
4
-
Severity 3 - Minor
-
1
-
Description
Issue Summary
The underscore character (_) is matching any character in a Crowd Query Language search.
This occurs when searching for users and groups from the Crowd UI and when using the /rest/usermanagement/1/search REST API method.
Steps to Reproduce
- Install a Vanilla instance of Crowd.
- Create a sample Internal Directory with default configuration.
- Add 4 groups to this sample directory:
- Name: testing_search
- Name: testingsearch
- Name: testing-search
- Name: testing1search
- In the Search Groups page, select the sample directory and do a search for string 'g-s'.
- Only the testing-search group appears in the search result.
- Still in the Search Groups page, select the sample directory and do a search for string 'g_s'.
Expected Results
Only the testing_search group appears in the search result.
Actual Results
The following groups are shown in the search result as matching the search string:
- testing-search
- testing1search
- testing_search
Notes
The underscore character is a wildcard for many database engines, matching any single character.
This character is not escaped when passed along to the database.
The same issue occurs when using the REST API method /rest/usermanagement/1/search to perform a CQL search.
Workaround
When performing searches from the UI you may escape the _ character.
For example, searching for the string below would only return the testing_search group:
g\_s
There's no workaround for the REST API use case.