Escape special characters (#25429)
* Escape LIKE parameter * Escape LIKE parameter * Escape LIKE parameter * Escape LIKE parameter * Escape LIKE parameter * Use correct method in the AbstractMapping class * Change the getNamesBySearch method so that input can be properly escaped while still supporting matches * Don't escape hardcoded wildcard
This commit is contained in:
parent
b37e1ed17f
commit
7c0de08cc4
|
@ -327,7 +327,7 @@ class CustomPropertiesBackend implements BackendInterface {
|
||||||
|
|
||||||
$result = $this->connection->executeQuery(
|
$result = $this->connection->executeQuery(
|
||||||
$sql,
|
$sql,
|
||||||
array($this->user, rtrim($path, '/') . '/%', $requestedProperties),
|
array($this->user, $this->connection->escapeLikeParameter(rtrim($path, '/')) . '/%', $requestedProperties),
|
||||||
array(null, null, \Doctrine\DBAL\Connection::PARAM_STR_ARRAY)
|
array(null, null, \Doctrine\DBAL\Connection::PARAM_STR_ARRAY)
|
||||||
);
|
);
|
||||||
|
|
||||||
|
|
|
@ -623,7 +623,7 @@ class Access extends LDAPUtility implements IUserTools {
|
||||||
* "Developers"
|
* "Developers"
|
||||||
*/
|
*/
|
||||||
private function _createAltInternalOwnCloudNameForGroups($name) {
|
private function _createAltInternalOwnCloudNameForGroups($name) {
|
||||||
$usedNames = $this->groupMapper->getNamesBySearch($name.'_%');
|
$usedNames = $this->groupMapper->getNamesBySearch($name, "", '_%');
|
||||||
if(!($usedNames) || count($usedNames) === 0) {
|
if(!($usedNames) || count($usedNames) === 0) {
|
||||||
$lastNo = 1; //will become name_2
|
$lastNo = 1; //will become name_2
|
||||||
} else {
|
} else {
|
||||||
|
|
|
@ -138,16 +138,18 @@ abstract class AbstractMapping {
|
||||||
/**
|
/**
|
||||||
* Searches mapped names by the giving string in the name column
|
* Searches mapped names by the giving string in the name column
|
||||||
* @param string $search
|
* @param string $search
|
||||||
|
* @param string $prefixMatch
|
||||||
|
* @param string $postfixMatch
|
||||||
* @return string[]
|
* @return string[]
|
||||||
*/
|
*/
|
||||||
public function getNamesBySearch($search) {
|
public function getNamesBySearch($search, $prefixMatch = "", $postfixMatch = "") {
|
||||||
$query = $this->dbc->prepare('
|
$query = $this->dbc->prepare('
|
||||||
SELECT `owncloud_name`
|
SELECT `owncloud_name`
|
||||||
FROM `'. $this->getTableName() .'`
|
FROM `'. $this->getTableName() .'`
|
||||||
WHERE `owncloud_name` LIKE ?
|
WHERE `owncloud_name` LIKE ?
|
||||||
');
|
');
|
||||||
|
|
||||||
$res = $query->execute(array($search));
|
$res = $query->execute(array($prefixMatch.$this->dbc->escapeLikeParameter($search).$postfixMatch));
|
||||||
$names = array();
|
$names = array();
|
||||||
if($res !== false) {
|
if($res !== false) {
|
||||||
while($row = $query->fetch()) {
|
while($row = $query->fetch()) {
|
||||||
|
|
|
@ -164,7 +164,7 @@ abstract class AbstractMappingTest extends \Test\TestCase {
|
||||||
public function testSearch() {
|
public function testSearch() {
|
||||||
list($mapper,) = $this->initTest();
|
list($mapper,) = $this->initTest();
|
||||||
|
|
||||||
$names = $mapper->getNamesBySearch('%oo%');
|
$names = $mapper->getNamesBySearch('oo', '%', '%');
|
||||||
$this->assertTrue(is_array($names));
|
$this->assertTrue(is_array($names));
|
||||||
$this->assertSame(2, count($names));
|
$this->assertSame(2, count($names));
|
||||||
$this->assertTrue(in_array('Foobar', $names));
|
$this->assertTrue(in_array('Foobar', $names));
|
||||||
|
|
|
@ -285,7 +285,7 @@ class Database extends \OC\Group\Backend {
|
||||||
$parameters = [$gid];
|
$parameters = [$gid];
|
||||||
$searchLike = '';
|
$searchLike = '';
|
||||||
if ($search !== '') {
|
if ($search !== '') {
|
||||||
$parameters[] = '%' . $search . '%';
|
$parameters[] = '%' . $this->dbConn->escapeLikeParameter($search) . '%';
|
||||||
$searchLike = ' AND `uid` LIKE ?';
|
$searchLike = ' AND `uid` LIKE ?';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -311,7 +311,7 @@ class Database extends \OC\Group\Backend {
|
||||||
$parameters = [$gid];
|
$parameters = [$gid];
|
||||||
$searchLike = '';
|
$searchLike = '';
|
||||||
if ($search !== '') {
|
if ($search !== '') {
|
||||||
$parameters[] = '%' . $search . '%';
|
$parameters[] = '%' . $this->dbConn->escapeLikeParameter($search) . '%';
|
||||||
$searchLike = ' AND `uid` LIKE ?';
|
$searchLike = ' AND `uid` LIKE ?';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -172,7 +172,7 @@ class RepairLegacyStorages implements IRepairStep{
|
||||||
$sql = 'SELECT `id`, `numeric_id` FROM `*PREFIX*storages`'
|
$sql = 'SELECT `id`, `numeric_id` FROM `*PREFIX*storages`'
|
||||||
. ' WHERE `id` LIKE ?'
|
. ' WHERE `id` LIKE ?'
|
||||||
. ' ORDER BY `id`';
|
. ' ORDER BY `id`';
|
||||||
$result = $this->connection->executeQuery($sql, array($dataDirId . '%'));
|
$result = $this->connection->executeQuery($sql, array($this->connection->escapeLikeParameter($dataDirId) . '%'));
|
||||||
|
|
||||||
while ($row = $result->fetch()) {
|
while ($row = $result->fetch()) {
|
||||||
$currentId = $row['id'];
|
$currentId = $row['id'];
|
||||||
|
|
Loading…
Reference in New Issue