Possible SQL Injection Pathway in RT Search Builder with RT v5.0.3 on MySQL

Upgraded to RTv5.0.3 on Perl 5.36 from RTv5.0.1 on Perl 5.34 and now Search Builder causes errors like:

 There was an error parsing your search query: Wrong query, no such column 'testing' in 'Queue = testing'. Your RT admin can find more information in the error logs. 


Couldn't parse query: Wrong query, no such column 'testing' in 'Queue = testing' at /u/rt5/sbin/../lib/RT/Tickets.pm line 3459

TL;DR: The “Queue = testing” is what’s being passed directly to MySQL. If I manually hack the URL to add the single-quotes around the word testing, it works. It’s literally not possible to use the Search Builder because it’s failing to DB quote the data from the user. FWIW, this very well might be a SQL Injection pathway.

I attempted a restart with SB_PREFER_BIND=0 and SB_PREFER_BIND=1 and both caused this error.

Also, the error message on the page is not properly escaped for HTML. If you try to search for a date “after”, you wind up with: