Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug - Error "Data truncated for column 'ticket_id' at row 1" when MarkAsSeen is called from AgentTicketZoom with extra suffix #631

Open
pboguslawski opened this issue Jan 27, 2025 · 0 comments
Open

Bug - Error "Data truncated for column 'ticket_id' at row 1" when MarkAsSeen is called from AgentTicketZoom with extra suffix #631

pboguslawski opened this issue Jan 27, 2025 · 0 comments

Comments

@pboguslawski
Copy link
Contributor

When user that didn't seen ticket pastes its URL into browser address bar and adds https://added.by.mistake/ to this URL by mistake, ticket page is opened correctly but MarkAsSeen POST is sent with

Action: AgentTicketZoom
Subaction: MarkAsSeen
TicketID: 3 https://added.by.mistake/
ArticleID: 3
ChallengeToken: [...]

and throws error like below to error.log

[Mon Jan 27 15:25:01 2025] -e: DBD::mysql::db do failed: Data truncated for column 'ticket_id' at row 1 at /opt/otrs/Kernel/System/DB.pm line 497.
ERROR: OTRS-CGI-1 Perl: 5.32.1 OS: linux Time: Mon Jan 27 14:25:01 2025

 Message: Data truncated for column 'ticket_id' at row 1, SQL: '
                INSERT INTO ticket_flag
                (ticket_id, ticket_key, ticket_value, create_time, create_by)
                VALUES (?, ?, ?, '2025-01-27 14:25:01', ?)'

 RemoteAddress: [...]
 RequestURI: /otrs/index.pl?Action=AgentTicketZoom;TicketID=3%20https://added.by.mistake/

 Traceback (1773):
   Module: Kernel::System::Ticket::TicketFlagSet Line: 7087
   Module: Kernel::Modules::AgentTicketZoom::MaskAgentZoom Line: 2004
   Module: Kernel::Modules::AgentTicketZoom::Run Line: 839
   Module: Kernel::System::Web::InterfaceAgent::Run Line: 1144
   Module: ModPerl::ROOT::ModPerl::Registry::opt_otrs_bin_cgi_2dbin_index_2epl::handler Line: 39
   Module: (eval) (v1.99) Line: 207
   Module: ModPerl::RegistryCooker::run (v1.99) Line: 207
   Module: ModPerl::RegistryCooker::default_handler (v1.99) Line: 173
   Module: ModPerl::Registry::handler (v1.99) Line: 32

Environment

  • Server OS: Debian
  • Browser: any
  • Znuny version: 6.5.11

Expected behavior

  1. No errors in server error.log (MarkAsSeen input should be validated).
  2. POST with valid TicketID should be called from WebUI in such scenario.

Actual behavior

  1. MarkAsSeen POST from correctly loaded page contains invalid TicketID value.
  2. MarkAsSeen is not validated on sever and throws SQL error.

How to reproduce

Steps to reproduce the behavior:

  1. Login as user A, create ticket send its URL (i.e. https://my.znuny.sever/otrs/index.pl?Action=AgentTicketZoom;TicketID=3) to user B.
  2. Paste URL https://my.znuny.sever/otrs/index.pl?Action=AgentTicketZoom;TicketID=3 https://added.by.mistake/ in users B browser (to trigger MarkAsSeen POST from page with suffixed URL).
  3. See web server error.log.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@pboguslawski