From 2e48d3fe12c1b0d6e2a381b8b099a5b6d3bae7de Mon Sep 17 00:00:00 2001
From: Jared Hancock <jared@osticket.com>
Date: Mon, 2 Sep 2013 23:42:55 +0000
Subject: [PATCH] Don't leak private FAQ titles

Fixes #683

Search results on the client interface for knowledgebase articles would
previous show hits for the internal (private) knowledgebase articles. The
subjects were shown but the articles were not viewable.

This addresses the SQL logic issue causing the private hits to be shown.
---
 include/client/knowledgebase.inc.php | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/include/client/knowledgebase.inc.php b/include/client/knowledgebase.inc.php
index 2c34a9d82..4d75bcba5 100644
--- a/include/client/knowledgebase.inc.php
+++ b/include/client/knowledgebase.inc.php
@@ -61,18 +61,18 @@ if($_REQUEST['q'] || $_REQUEST['cid'] || $_REQUEST['topicId']) { //Search.
         .' LEFT JOIN '.FAQ_CATEGORY_TABLE.' cat ON(cat.category_id=faq.category_id) '
         .' LEFT JOIN '.FAQ_TOPIC_TABLE.' ft ON(ft.faq_id=faq.faq_id) '
         .' WHERE faq.ispublished=1 AND cat.ispublic=1';
-    
+
     if($_REQUEST['cid'])
         $sql.=' AND faq.category_id='.db_input($_REQUEST['cid']);
-    
+
     if($_REQUEST['topicId'])
         $sql.=' AND ft.topic_id='.db_input($_REQUEST['topicId']);
 
 
     if($_REQUEST['q']) {
-        $sql.=" AND question LIKE ('%".db_input($_REQUEST['q'],false)."%') 
-                 OR answer LIKE ('%".db_input($_REQUEST['q'],false)."%') 
-                 OR keywords LIKE ('%".db_input($_REQUEST['q'],false)."%')";
+        $sql.=" AND (question LIKE ('%".db_input($_REQUEST['q'],false)."%')
+                 OR answer LIKE ('%".db_input($_REQUEST['q'],false)."%')
+                 OR keywords LIKE ('%".db_input($_REQUEST['q'],false)."%'))";
     }
 
     $sql.=' GROUP BY faq.faq_id';
-- 
GitLab