use prepared statements in all SQL queries that contains jids to prevent SQL injection. Fixes #7034

23327c83 · Yann Leboulanger · 93683a8c · 23327c83
Commit 23327c83 authored 13 years ago by Yann Leboulanger
--- a/src/common/logger.py
+++ b/src/common/logger.py
@@ -569,7 +569,7 @@ class Logger:
        except exceptions.PysqliteOperationalError, e:
            # Error trying to create a new jid_id. This means there is no log
            return []
-        where_sql = self._build_contact_where(account, jid)
+        where_sql, jid_tuple = self._build_contact_where(account, jid)

        now = int(float(time.time()))
        timed_out = now - (timeout * 60) # before that they are too old
@@ -577,14 +577,13 @@ class Logger:
        # 3 - 8 (we avoid the last 2 lines but we still return 5 asked)
        try:
            self.cur.execute('''
-                    SELECT time, kind, message FROM logs
-                    WHERE (%s) AND kind IN (%d, %d, %d, %d, %d) AND time > %d
-                    ORDER BY time DESC LIMIT %d OFFSET %d
-                    ''' % (where_sql, constants.KIND_SINGLE_MSG_RECV,
-                            constants.KIND_CHAT_MSG_RECV, constants.KIND_SINGLE_MSG_SENT,
-                            constants.KIND_CHAT_MSG_SENT, constants.KIND_ERROR,
-                            timed_out, restore_how_many_rows, pending_how_many)
-                    )
+                SELECT time, kind, message FROM logs
+                WHERE (%s) AND kind IN (%d, %d, %d, %d, %d) AND time > %d
+                ORDER BY time DESC LIMIT %d OFFSET %d
+                ''' % (where_sql, constants.KIND_SINGLE_MSG_RECV,
+                constants.KIND_CHAT_MSG_RECV, constants.KIND_SINGLE_MSG_SENT,
+                constants.KIND_CHAT_MSG_SENT, constants.KIND_ERROR, timed_out,
+                restore_how_many_rows, pending_how_many), jid_tuple)

            results = self.cur.fetchall()
        except sqlite.DatabaseError:
@@ -614,18 +613,18 @@ class Logger:
        except exceptions.PysqliteOperationalError, e:
            # Error trying to create a new jid_id. This means there is no log
            return []
-        where_sql = self._build_contact_where(account, jid)
+        where_sql, jid_tuple = self._build_contact_where(account, jid)

        start_of_day = self.get_unix_time_from_date(year, month, day)
        seconds_in_a_day = 86400 # 60 * 60 * 24
        last_second_of_day = start_of_day + seconds_in_a_day - 1

        self.cur.execute('''
-                SELECT contact_name, time, kind, show, message, subject FROM logs
-                WHERE (%s)
-                AND time BETWEEN %d AND %d
-                ORDER BY time
-                ''' % (where_sql, start_of_day, last_second_of_day))
+            SELECT contact_name, time, kind, show, message, subject FROM logs
+            WHERE (%s)
+            AND time BETWEEN %d AND %d
+            ORDER BY time
+            ''' % (where_sql, start_of_day, last_second_of_day), jid_tuple)

        results = self.cur.fetchall()
        return results
@@ -651,13 +650,13 @@ class Logger:
                return results

        else: # user just typed something, we search in message column
-            where_sql = self._build_contact_where(account, jid)
+            where_sql, jid_tuple = self._build_contact_where(account, jid)
            like_sql = '%' + query.replace("'", "''") + '%'
            self.cur.execute('''
-                    SELECT contact_name, time, kind, show, message, subject FROM logs
-                    WHERE (%s) AND message LIKE '%s'
-                    ORDER BY time
-                    ''' % (where_sql, like_sql))
+                SELECT contact_name, time, kind, show, message, subject FROM logs
+                WHERE (%s) AND message LIKE '%s'
+                ORDER BY time
+                ''' % (where_sql, like_sql), jid_tuple)

        results = self.cur.fetchall()
        return results
@@ -672,7 +671,7 @@ class Logger:
            # Error trying to create a new jid_id. This means there is no log
            return []
        days_with_logs = []
-        where_sql = self._build_contact_where(account, jid)
+        where_sql, jid_tuple = self._build_contact_where(account, jid)

        # First select all date of month whith logs we want
        start_of_month = self.get_unix_time_from_date(year, month, 1)
@@ -684,13 +683,13 @@ class Logger:
        # and take only one of the same values (distinct)
        # Now we have timestamps of time 0:00 of every day with logs
        self.cur.execute('''
-                SELECT DISTINCT time/(86400)*86400 FROM logs
-                WHERE (%s)
-                AND time BETWEEN %d AND %d
-                AND kind NOT IN (%d, %d)
-                ORDER BY time
-                ''' % (where_sql, start_of_month, last_second_of_month,
-                constants.KIND_STATUS, constants.KIND_GCSTATUS))
+            SELECT DISTINCT time/(86400)*86400 FROM logs
+            WHERE (%s)
+            AND time BETWEEN %d AND %d
+            AND kind NOT IN (%d, %d)
+            ORDER BY time
+            ''' % (where_sql, start_of_month, last_second_of_month,
+            constants.KIND_STATUS, constants.KIND_GCSTATUS), jid_tuple)
        result = self.cur.fetchall()

        # convert timestamps to day of month
@@ -706,19 +705,21 @@ class Logger:
        """
        where_sql = ''
        if not is_room:
-            where_sql = self._build_contact_where(account, jid)
+            where_sql, jid_tuple = self._build_contact_where(account, jid)
        else:
            try:
                jid_id = self.get_jid_id(jid, 'ROOM')
            except exceptions.PysqliteOperationalError, e:
                # Error trying to create a new jid_id. This means there is no log
                return None
-            where_sql = 'jid_id = %s' % jid_id
+            where_sql = 'jid_id = ?'
+            jid_tuple = (jid_id,)
        self.cur.execute('''
-                SELECT MAX(time) FROM logs
-                WHERE (%s)
-                AND kind NOT IN (%d, %d)
-                ''' % (where_sql, constants.KIND_STATUS, constants.KIND_GCSTATUS))
+            SELECT MAX(time) FROM logs
+            WHERE (%s)
+            AND kind NOT IN (%d, %d)
+            ''' % (where_sql, constants.KIND_STATUS, constants.KIND_GCSTATUS),
+            jid_tuple)

        results = self.cur.fetchone()
        if results is not None:
@@ -766,6 +767,7 @@ class Logger:
        Build the where clause for a jid, including metacontacts jid(s) if any
        """
        where_sql = ''
+        jid_tuple = ()
        # will return empty list if jid is not associated with
        # any metacontacts
        family = gajim.contacts.get_metacontacts_family(account, jid)
@@ -775,13 +777,15 @@ class Logger:
                    jid_id = self.get_jid_id(user['jid'])
                except exceptions.PysqliteOperationalError, e:
                    continue
-                where_sql += 'jid_id = %s' % jid_id
+                where_sql += 'jid_id = ?'
+                jid_tuple += (jid_id,)
                if user != family[-1]:
                    where_sql += ' OR '
        else: # if jid was not associated with metacontacts
            jid_id = self.get_jid_id(jid)
-            where_sql = 'jid_id = %s' % jid_id
-        return where_sql
+            where_sql = 'jid_id = ?'
+            jid_tuple += (jid_id,)
+        return where_sql, jid_tuple

    def save_transport_type(self, jid, type_):
        """