search

sepinf-inc / IPED

IPED Digital Forensic Tool. It is an open source software that can be used to process and analyze digital evidence, often seized at crime scenes by law enforcement or in a corporate investigation by private examiners.
Other
884 stars 209 forks source link

Range queries that use localized properties for date fields are not working properly #2175

Closed wladimirleite closed 2 months ago

wladimirleite commented 2 months ago

As discussed in https://github.com/sepinf-inc/IPED/discussions/2173.

wladimirleite commented 2 months ago

I believe I found a simple fix. I will submit a PR soon.

@lfcnassif, not directly related, but I just checked here and there is no need to escape the colon used as the hour separator. The trailing "Z" is also not used. So modified:[2023-07-06 TO 2023-07-07T20\:00\:00Z] has the same effect of modified:[2023-07-06 TO 2023-07-07T20:00:00]

Can we update the help HTML to use the simpler version?

wladimirleite commented 2 months ago

PS: The "T" between the day and the hour is required, and must be an uppercase "T".

lfcnassif commented 2 months ago

Thanks @wladimirleite for taking a look at this. I'm traveling on "vacation" until next Wednesday, inclusive.

What about exclude queries and open range queries (using curly brackets instead of square brackets) do they work without the ending Z?

wladimirleite commented 2 months ago

What about exclude queries and open range queries (using curly brackets instead of square brackets) do they work without the ending Z?

Good questions. I will check it.

wladimirleite commented 2 months ago

What about exclude queries and open range queries (using curly brackets instead of square brackets) do they work without the ending Z?

Good questions. I will check it.

Using [* TO 2023-07-07T20:00:00] works as less than ("< 2023-07-07 20:00:00"). Using [* TO 2023-07-07T20:00:00Z] works as less than or equal to ("<= 2023-07-07 20:00:00"). However, the behavior is the same if open range is used, so using {* TO 2023-07-07T20:00:00Z} also works as less than or equal to ("<= 2023-07-07 20:00:00"). And using any letter (not only "Z") produces the same result.

So I guess it is better to leave the help as it is, although it is not working precisely as it was supposed to be, using the 'Z' at the end is better as in most cases a closed range is the expected behavior. Escaping the colon is not necessary, but works.

lfcnassif commented 2 months ago

Thanks @wladimirleite. And if a lowercase z is used, does that fix the open range query?

wladimirleite commented 2 months ago

Testing with different date/times, I noticed that sometimes the open range works (using the uppercase Z), but sometimes it doesn't (same result with "]" and "}"). Maybe it depends on something else (perhaps if the date contains milliseconds, which are not shown in the formatted field).

wladimirleite commented 2 months ago

I found in the search app log an exception related to the implemented fix.