diff options
| author | Aaron Wood <aaronjwood@gmail.com> | 2016-07-20 08:20:45 -0400 |
|---|---|---|
| committer | Thomas Müller <thomas.mueller@tmit.eu> | 2016-10-19 13:17:30 +0200 |
| commit | b00bdf5204088a29691b0428a14dd2e0ccf7bbcd (patch) | |
| tree | 7376779e6ab35a9434aae6a7b8b6924cf64a58d8 | |
| parent | bd081a202c5e198ed7231c3ec275f77df9d40b10 (diff) | |
| download | nextcloud-server-b00bdf5204088a29691b0428a14dd2e0ccf7bbcd.tar.gz nextcloud-server-b00bdf5204088a29691b0428a14dd2e0ccf7bbcd.zip | |
[stable8.2] [stable9] Escape special characters (#25429)
* Escape LIKE parameter
* Escape LIKE parameter
* Escape LIKE parameter
* Escape LIKE parameter
* Escape LIKE parameter
* Use correct method in the AbstractMapping class
* Change the getNamesBySearch method so that input can be properly escaped while still supporting matches
* Don't escape hardcoded wildcard
| -rw-r--r-- | apps/user_ldap/lib/access.php | 2 | ||||
| -rw-r--r-- | apps/user_ldap/lib/mapping/abstractmapping.php | 4 | ||||
| -rw-r--r-- | apps/user_ldap/tests/mapping/abstractmappingtest.php | 2 | ||||
| -rw-r--r-- | lib/private/connector/sabre/custompropertiesbackend.php | 2 | ||||
| -rw-r--r-- | lib/private/group/database.php | 4 | ||||
| -rw-r--r-- | lib/repair/repairlegacystorages.php | 2 |
6 files changed, 8 insertions, 8 deletions
diff --git a/apps/user_ldap/lib/access.php b/apps/user_ldap/lib/access.php index a4e4b6873ff..801f9c4d9dd 100644 --- a/apps/user_ldap/lib/access.php +++ b/apps/user_ldap/lib/access.php @@ -619,7 +619,7 @@ class Access extends LDAPUtility implements user\IUserTools { * "Developers" */ private function _createAltInternalOwnCloudNameForGroups($name) { - $usedNames = $this->groupMapper->getNamesBySearch($name.'_%'); + $usedNames = $this->groupMapper->getNamesBySearch($name, "", '_%'); if(!($usedNames) || count($usedNames) === 0) { $lastNo = 1; //will become name_2 } else { diff --git a/apps/user_ldap/lib/mapping/abstractmapping.php b/apps/user_ldap/lib/mapping/abstractmapping.php index c3d38ce8b71..e10d0ed465c 100644 --- a/apps/user_ldap/lib/mapping/abstractmapping.php +++ b/apps/user_ldap/lib/mapping/abstractmapping.php @@ -140,14 +140,14 @@ abstract class AbstractMapping { * @param string $search * @return string[] */ - public function getNamesBySearch($search) { + public function getNamesBySearch($search, $prefixMatch = "", $postfixMatch = "") { $query = $this->dbc->prepare(' SELECT `owncloud_name` FROM `'. $this->getTableName() .'` WHERE `owncloud_name` LIKE ? '); - $res = $query->execute(array($search)); + $res = $query->execute(array($prefixMatch.$this->dbc->escapeLikeParameter($search).$postfixMatch)); $names = array(); if($res !== false) { while($row = $query->fetch()) { diff --git a/apps/user_ldap/tests/mapping/abstractmappingtest.php b/apps/user_ldap/tests/mapping/abstractmappingtest.php index dc9304fe325..bb883f0c893 100644 --- a/apps/user_ldap/tests/mapping/abstractmappingtest.php +++ b/apps/user_ldap/tests/mapping/abstractmappingtest.php @@ -162,7 +162,7 @@ abstract class AbstractMappingTest extends \Test\TestCase { public function testSearch() { list($mapper,) = $this->initTest(); - $names = $mapper->getNamesBySearch('%oo%'); + $names = $mapper->getNamesBySearch('oo', '%', '%'); $this->assertTrue(is_array($names)); $this->assertSame(2, count($names)); $this->assertTrue(in_array('Foobar', $names)); diff --git a/lib/private/connector/sabre/custompropertiesbackend.php b/lib/private/connector/sabre/custompropertiesbackend.php index a05de1adb35..69d321c1161 100644 --- a/lib/private/connector/sabre/custompropertiesbackend.php +++ b/lib/private/connector/sabre/custompropertiesbackend.php @@ -327,7 +327,7 @@ class CustomPropertiesBackend implements BackendInterface { $result = $this->connection->executeQuery( $sql, - array($this->user, rtrim($path, '/') . '/%', $requestedProperties), + array($this->user, $this->connection->escapeLikeParameter(rtrim($path, '/')) . '/%', $requestedProperties), array(null, null, \Doctrine\DBAL\Connection::PARAM_STR_ARRAY) ); diff --git a/lib/private/group/database.php b/lib/private/group/database.php index ad6174808bb..0cd8e6555da 100644 --- a/lib/private/group/database.php +++ b/lib/private/group/database.php @@ -222,7 +222,7 @@ class OC_Group_Database extends OC_Group_Backend { $parameters = [$gid]; $searchLike = ''; if ($search !== '') { - $parameters[] = '%' . $search . '%'; + $parameters[] = '%' . $this->dbConn->escapeLikeParameter($search) . '%'; $searchLike = ' AND `uid` LIKE ?'; } @@ -248,7 +248,7 @@ class OC_Group_Database extends OC_Group_Backend { $parameters = [$gid]; $searchLike = ''; if ($search !== '') { - $parameters[] = '%' . $search . '%'; + $parameters[] = '%' . $this->dbConn->escapeLikeParameter($search) . '%'; $searchLike = ' AND `uid` LIKE ?'; } diff --git a/lib/repair/repairlegacystorages.php b/lib/repair/repairlegacystorages.php index 5ba452cbbc6..b8e8268aa3f 100644 --- a/lib/repair/repairlegacystorages.php +++ b/lib/repair/repairlegacystorages.php @@ -170,7 +170,7 @@ class RepairLegacyStorages extends BasicEmitter { $sql = 'SELECT `id`, `numeric_id` FROM `*PREFIX*storages`' . ' WHERE `id` LIKE ?' . ' ORDER BY `id`'; - $result = $this->connection->executeQuery($sql, array($dataDirId . '%')); + $result = $this->connection->executeQuery($sql, array($this->connection->escapeLikeParameter($dataDirId) . '%')); while ($row = $result->fetch()) { $currentId = $row['id']; |