Skip to content
Snippets Groups Projects
Commit b0712e17 authored by Yann Leboulanger's avatar Yann Leboulanger
Browse files

replace all %d / %s things in SQL queries by ? for security reasons

parent d5351f63
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 40 additions and 41 deletions
src/common/logger.py
+ 40
41
View file @ b0712e17
...@@ -149,9 +149,12 @@ class Logger: ...@@ -149,9 +149,12 @@ class Logger:
self.open_db() self.open_db()
self.get_jids_already_in_db() self.get_jids_already_in_db()
def simple_commit(self, sql_to_commit): def simple_commit(self, sql_to_commit, values=None):
'''helper to commit''' '''helper to commit'''
self.cur.execute(sql_to_commit) if values:
self.cur.execute(sql_to_commit, values)
else:
self.cur.execute(sql_to_commit)
try: try:
self.con.commit() self.con.commit()
except sqlite.OperationalError, e: except sqlite.OperationalError, e:
...@@ -383,21 +386,19 @@ class Logger: ...@@ -383,21 +386,19 @@ class Logger:
def insert_unread_events(self, message_id, jid_id): def insert_unread_events(self, message_id, jid_id):
''' add unread message with id: message_id''' ''' add unread message with id: message_id'''
sql = 'INSERT INTO unread_messages VALUES (%d, %d, 0)' % (message_id, sql = 'INSERT INTO unread_messages VALUES (?, ?, 0)'
jid_id) self.simple_commit(sql, values=(message_id, jid_id))
self.simple_commit(sql)
def set_read_messages(self, message_ids): def set_read_messages(self, message_ids):
''' mark all messages with ids in message_ids as read''' ''' mark all messages with ids in message_ids as read'''
ids = ','.join([str(i) for i in message_ids]) ids = ','.join([str(i) for i in message_ids])
sql = 'DELETE FROM unread_messages WHERE message_id IN (%s)' % ids sql = 'DELETE FROM unread_messages WHERE message_id IN (?)'
self.simple_commit(sql) self.simple_commit(sql, values=(ids,))
def set_shown_unread_msgs(self, msg_id): def set_shown_unread_msgs(self, msg_id):
''' mark unread message as shown un GUI ''' ''' mark unread message as shown un GUI '''
sql = 'UPDATE unread_messages SET shown = 1 where message_id = %s' % \ sql = 'UPDATE unread_messages SET shown = 1 where message_id = ?'
msg_id self.simple_commit(sql, values=(msg_id,))
self.simple_commit(sql)
def reset_shown_unread_messages(self): def reset_shown_unread_messages(self):
''' Set shown field to False in unread_messages table ''' ''' Set shown field to False in unread_messages table '''
...@@ -423,8 +424,8 @@ class Logger: ...@@ -423,8 +424,8 @@ class Logger:
SELECT logs.log_line_id, logs.message, logs.time, logs.subject, SELECT logs.log_line_id, logs.message, logs.time, logs.subject,
jids.jid jids.jid
FROM logs, jids FROM logs, jids
WHERE logs.log_line_id = %d AND logs.jid_id = jids.jid_id WHERE logs.log_line_id = ? AND logs.jid_id = jids.jid_id
''' % msg_id ''', (msg_id,)
) )
results = self.cur.fetchall() results = self.cur.fetchall()
if len(results) == 0: if len(results) == 0:
...@@ -536,9 +537,9 @@ class Logger: ...@@ -536,9 +537,9 @@ class Logger:
try: try:
self.cur.execute(''' self.cur.execute('''
SELECT time, kind, message FROM logs SELECT time, kind, message FROM logs
WHERE (%s) AND kind IN (%d, %d, %d, %d, %d) AND time > %d WHERE (?) AND kind IN (?, ?, ?, ?, ?) AND time > ?
ORDER BY time DESC LIMIT %d OFFSET %d ORDER BY time DESC LIMIT ? OFFSET ?
''' % (where_sql, constants.KIND_SINGLE_MSG_RECV, ''', (where_sql, constants.KIND_SINGLE_MSG_RECV,
constants.KIND_CHAT_MSG_RECV, constants.KIND_SINGLE_MSG_SENT, constants.KIND_CHAT_MSG_RECV, constants.KIND_SINGLE_MSG_SENT,
constants.KIND_CHAT_MSG_SENT, constants.KIND_ERROR, constants.KIND_CHAT_MSG_SENT, constants.KIND_ERROR,
timed_out, restore_how_many_rows, pending_how_many) timed_out, restore_how_many_rows, pending_how_many)
...@@ -577,10 +578,10 @@ class Logger: ...@@ -577,10 +578,10 @@ class Logger:
self.cur.execute(''' self.cur.execute('''
SELECT contact_name, time, kind, show, message, subject FROM logs SELECT contact_name, time, kind, show, message, subject FROM logs
WHERE (%s) WHERE (?)
AND time BETWEEN %d AND %d AND time BETWEEN ? AND ?
ORDER BY time ORDER BY time
''' % (where_sql, start_of_day, last_second_of_day)) ''', (where_sql, start_of_day, last_second_of_day))
results = self.cur.fetchall() results = self.cur.fetchall()
return results return results
...@@ -607,9 +608,9 @@ class Logger: ...@@ -607,9 +608,9 @@ class Logger:
like_sql = '%' + query.replace("'", "''") + '%' like_sql = '%' + query.replace("'", "''") + '%'
self.cur.execute(''' self.cur.execute('''
SELECT contact_name, time, kind, show, message, subject FROM logs SELECT contact_name, time, kind, show, message, subject FROM logs
WHERE (%s) AND message LIKE '%s' WHERE (?) AND message LIKE '?'
ORDER BY time ORDER BY time
''' % (where_sql, like_sql)) ''', (where_sql, like_sql))
results = self.cur.fetchall() results = self.cur.fetchall()
return results return results
...@@ -635,11 +636,11 @@ class Logger: ...@@ -635,11 +636,11 @@ class Logger:
# Now we have timestamps of time 0:00 of every day with logs # Now we have timestamps of time 0:00 of every day with logs
self.cur.execute(''' self.cur.execute('''
SELECT DISTINCT time/(86400)*86400 FROM logs SELECT DISTINCT time/(86400)*86400 FROM logs
WHERE (%s) WHERE (?)
AND time BETWEEN %d AND %d AND time BETWEEN ? AND ?
AND kind NOT IN (%d, %d) AND kind NOT IN (?, ?)
ORDER BY time ORDER BY time
''' % (where_sql, start_of_month, last_second_of_month, ''', (where_sql, start_of_month, last_second_of_month,
constants.KIND_STATUS, constants.KIND_GCSTATUS)) constants.KIND_STATUS, constants.KIND_GCSTATUS))
result = self.cur.fetchall() result = self.cur.fetchall()
...@@ -664,9 +665,9 @@ class Logger: ...@@ -664,9 +665,9 @@ class Logger:
where_sql = 'jid_id = %s' % jid_id where_sql = 'jid_id = %s' % jid_id
self.cur.execute(''' self.cur.execute('''
SELECT MAX(time) FROM logs SELECT MAX(time) FROM logs
WHERE (%s) WHERE (?)
AND kind NOT IN (%d, %d) AND kind NOT IN (?, ?)
''' % (where_sql, constants.KIND_STATUS, constants.KIND_GCSTATUS)) ''', (where_sql, constants.KIND_STATUS, constants.KIND_GCSTATUS))
results = self.cur.fetchone() results = self.cur.fetchone()
if results is not None: if results is not None:
...@@ -686,8 +687,8 @@ class Logger: ...@@ -686,8 +687,8 @@ class Logger:
where_sql = 'jid_id = %s' % jid_id where_sql = 'jid_id = %s' % jid_id
self.cur.execute(''' self.cur.execute('''
SELECT time FROM rooms_last_message_time SELECT time FROM rooms_last_message_time
WHERE (%s) WHERE (?)
''' % (where_sql)) ''', (where_sql,))
results = self.cur.fetchone() results = self.cur.fetchone()
if results is not None: if results is not None:
...@@ -701,9 +702,8 @@ class Logger: ...@@ -701,9 +702,8 @@ class Logger:
we had logs for that room in rooms_last_message_time table''' we had logs for that room in rooms_last_message_time table'''
jid_id = self.get_jid_id(jid, 'ROOM') jid_id = self.get_jid_id(jid, 'ROOM')
# jid_id is unique in this table, create or update : # jid_id is unique in this table, create or update :
sql = 'REPLACE INTO rooms_last_message_time VALUES (%d, %d)' % \ sql = 'REPLACE INTO rooms_last_message_time VALUES (?, ?)'
(jid_id, time) self.simple_commit(sql, (jid_id, time))
self.simple_commit(sql)
def _build_contact_where(self, account, jid): def _build_contact_where(self, account, jid):
'''build the where clause for a jid, including metacontacts '''build the where clause for a jid, including metacontacts
...@@ -733,18 +733,17 @@ class Logger: ...@@ -733,18 +733,17 @@ class Logger:
# unknown type # unknown type
return return
self.cur.execute( self.cur.execute(
'SELECT type from transports_cache WHERE transport = "%s"' % jid) 'SELECT type from transports_cache WHERE transport = "?"', (jid,))
results = self.cur.fetchall() results = self.cur.fetchall()
if results: if results:
result = results[0][0] result = results[0][0]
if result == type_id: if result == type_id:
return return
sql = 'UPDATE transports_cache SET type = %d WHERE transport = "%s"' %\ sql = 'UPDATE transports_cache SET type = ? WHERE transport = "?"'
(type_id, jid) self.simple_commit(sql, values=(type_id, jid))
self.simple_commit(sql)
return return
sql = 'INSERT INTO transports_cache VALUES ("%s", %d)' % (jid, type_id) sql = 'INSERT INTO transports_cache VALUES ("?", ?)'
self.simple_commit(sql) self.simple_commit(sql, values=(jid, type_id))
def get_transports_type(self): def get_transports_type(self):
'''return all the type of the transports in DB''' '''return all the type of the transports in DB'''
...@@ -815,9 +814,9 @@ class Logger: ...@@ -815,9 +814,9 @@ class Logger:
# yield the row # yield the row
yield hash_method, hash_, identities, features yield hash_method, hash_, identities, features
for hash_method, hash_ in to_be_removed: for hash_method, hash_ in to_be_removed:
sql = '''DELETE FROM caps_cache WHERE hash_method = "%s" AND sql = '''DELETE FROM caps_cache WHERE hash_method = "?" AND
hash = "%s"''' % (hash_method, hash_) hash = "?"'''
self.simple_commit(sql) self.simple_commit(sql, values=(hash_method, hash_))
def add_caps_entry(self, hash_method, hash_, identities, features): def add_caps_entry(self, hash_method, hash_, identities, features):
data = [] data = []
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment