diff options
| author | Morris Jobke <hey@morrisjobke.de> | 2015-11-20 16:46:46 +0100 |
|---|---|---|
| committer | Morris Jobke <hey@morrisjobke.de> | 2015-11-20 16:46:46 +0100 |
| commit | e1fc0d2345ec294f350e264d3b033651d2ce357b (patch) | |
| tree | d112a5c7e68eb3832f025e938c59cef2bd223ce5 | |
| parent | 2e0665acb0388fa86d67ae23ce659e7acc550fb7 (diff) | |
| parent | 9d04876824e3807866ea519a4302fe2c50bf2254 (diff) | |
| download | nextcloud-server-e1fc0d2345ec294f350e264d3b033651d2ce357b.tar.gz nextcloud-server-e1fc0d2345ec294f350e264d3b033651d2ce357b.zip | |
Merge pull request #20637 from owncloud/cache-escape-like-81
[8.1] Escape like parameter in cache operations
| -rw-r--r-- | lib/private/db/adapteroci8.php | 1 | ||||
| -rw-r--r-- | lib/private/db/adaptersqlite.php | 1 | ||||
| -rw-r--r-- | lib/private/files/cache/cache.php | 3 | ||||
| -rw-r--r-- | tests/lib/files/cache/cache.php | 48 |
4 files changed, 52 insertions, 1 deletions
diff --git a/lib/private/db/adapteroci8.php b/lib/private/db/adapteroci8.php index 15ec5a0677f..6e7857e6620 100644 --- a/lib/private/db/adapteroci8.php +++ b/lib/private/db/adapteroci8.php @@ -36,6 +36,7 @@ class AdapterOCI8 extends Adapter { const UNIX_TIMESTAMP_REPLACEMENT = "(cast(sys_extract_utc(systimestamp) as date) - date'1970-01-01') * 86400"; public function fixupStatement($statement) { + $statement = preg_replace('( LIKE \?)', '$0 ESCAPE \'\\\'', $statement); $statement = preg_replace('/`(\w+)` ILIKE \?/', 'REGEXP_LIKE(`$1`, \'^\' || REPLACE(?, \'%\', \'.*\') || \'$\', \'i\')', $statement); $statement = str_replace('`', '"', $statement); $statement = str_ireplace('NOW()', 'CURRENT_TIMESTAMP', $statement); diff --git a/lib/private/db/adaptersqlite.php b/lib/private/db/adaptersqlite.php index 5add0586da0..e133a20f543 100644 --- a/lib/private/db/adaptersqlite.php +++ b/lib/private/db/adaptersqlite.php @@ -28,6 +28,7 @@ namespace OC\DB; class AdapterSqlite extends Adapter { public function fixupStatement($statement) { + $statement = preg_replace('( I?LIKE \?)', '$0 ESCAPE \'\\\'', $statement); $statement = preg_replace('/`(\w+)` ILIKE \?/', 'LOWER($1) LIKE LOWER(?)', $statement); $statement = str_replace( '`', '"', $statement ); $statement = str_ireplace( 'NOW()', 'datetime(\'now\')', $statement ); diff --git a/lib/private/files/cache/cache.php b/lib/private/files/cache/cache.php index 680398e383f..7cdff3a23ed 100644 --- a/lib/private/files/cache/cache.php +++ b/lib/private/files/cache/cache.php @@ -544,7 +544,8 @@ class Cache { if ($sourceData['mimetype'] === 'httpd/unix-directory') { //find all child entries $sql = 'SELECT `path`, `fileid` FROM `*PREFIX*filecache` WHERE `storage` = ? AND `path` LIKE ?'; - $result = \OC_DB::executeAudited($sql, [$sourceStorageId, $sourcePath . '/%']); + $escapedPath = addcslashes($sourcePath, '\\_%'); + $result = \OC_DB::executeAudited($sql, [$sourceStorageId, $escapedPath . '/%']); $childEntries = $result->fetchAll(); $sourceLength = strlen($sourcePath); \OC_DB::beginTransaction(); diff --git a/tests/lib/files/cache/cache.php b/tests/lib/files/cache/cache.php index 9a64375f4e3..c5395a97fd4 100644 --- a/tests/lib/files/cache/cache.php +++ b/tests/lib/files/cache/cache.php @@ -604,6 +604,54 @@ class Cache extends \Test\TestCase { $this->assertNotEquals($fileId, $fileId2); } + public function escapingProvider() { + return [ + ['foo'], + ['o%'], + ['oth_r'], + ]; + } + + /** + * @param string $name + * @dataProvider escapingProvider + */ + public function testEscaping($name) { + $data = array('size' => 100, 'mtime' => 50, 'mimetype' => 'text/plain'); + $this->cache->put($name, $data); + $this->assertTrue($this->cache->inCache($name)); + $retrievedData = $this->cache->get($name); + foreach ($data as $key => $value) { + $this->assertEquals($value, $retrievedData[$key]); + } + $this->cache->move($name, $name . 'asd'); + $this->assertFalse($this->cache->inCache($name)); + $this->assertTrue($this->cache->inCache($name . 'asd')); + $this->cache->remove($name . 'asd'); + $this->assertFalse($this->cache->inCache($name . 'asd')); + $folderData = array('size' => 100, 'mtime' => 50, 'mimetype' => 'httpd/unix-directory'); + $this->cache->put($name, $folderData); + $this->cache->put('other', $folderData); + $childs = ['asd', 'bar', 'foo', 'sub/folder']; + $this->cache->put($name . '/sub/folder', $folderData); + $this->cache->put('other/sub/folder', $folderData); + foreach ($childs as $child) { + $this->cache->put($name . '/' . $child, $data); + $this->cache->put('other/' . $child, $data); + $this->assertTrue($this->cache->inCache($name . '/' . $child)); + } + $this->cache->move($name, $name . 'asd'); + foreach ($childs as $child) { + $this->assertTrue($this->cache->inCache($name . 'asd/' . $child)); + $this->assertTrue($this->cache->inCache('other/' . $child)); + } + foreach ($childs as $child) { + $this->cache->remove($name . 'asd/' . $child); + $this->assertFalse($this->cache->inCache($name . 'asd/' . $child)); + $this->assertTrue($this->cache->inCache('other/' . $child)); + } + } + protected function tearDown() { if ($this->cache) { $this->cache->clear(); |