Possible SQL injection through _build_contact_where return results
Bug description
In src/common/logger.py there is a method called _build_contact_where. This method is used to " Build the where clause for a jid, including metacontacts jid(s) if any". It maybe possible for the jid to include sql special characters. One such place where sql injection maybe possible is in the get_last_conversation_lines method where the following code appears:
def get_last_conversation_lines(... ... where_sql = self._build_contact_where(account, jid) ... self.cur.execute(''' SELECT time, kind, message FROM logs WHERE (%s) AND kind IN (%d, %d, %d, %d, %d) AND time > %d ORDER BY time DESC LIMIT %d OFFSET %d ''' % (where_sql, constants.KIND_SINGLE_MSG_RECV, constants.KIND_CHAT_MSG_RECV, constants.KIND_SINGLE_MSG_SENT, constants.KIND_CHAT_MSG_SENT, constants.KIND_ERROR, timed_out, restore_how_many_rows, pending_how_many) )