Escape special characters (#25429)

* Escape LIKE parameter * Escape LIKE parameter * Escape LIKE parameter * Escape LIKE parameter * Escape LIKE parameter * Use correct method in the AbstractMapping class * Change the getNamesBySearch method so that input can be properly escaped while still supporting matches * Don't escape hardcoded wildcard
author: Aaron Wood <aaronjwood@gmail.com> 2016-07-20 08:20:45 -0400
committer: Lukas Reschke <lukas@statuscode.ch> 2016-07-20 14:46:47 +0200
commit: 7c0de08cc44e0b04f23d6f3fa2d6030991935c54 (patch)
tree: 8a680779c0e7a661a8f1f3d2f998e8cbe543c3da /apps/dav
parent: b37e1ed17f54916e3321427d92afa3f74ebea1b3 (diff)
download: nextcloud-server-7c0de08cc44e0b04f23d6f3fa2d6030991935c54.tar.gz
nextcloud-server-7c0de08cc44e0b04f23d6f3fa2d6030991935c54.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/apps/dav/lib/Connector/Sabre/CustomPropertiesBackend.php b/apps/dav/lib/Connector/Sabre/CustomPropertiesBackend.php
index d0d348e170e..b319350c7f0 100644
--- a/apps/dav/lib/Connector/Sabre/CustomPropertiesBackend.php
+++ b/apps/dav/lib/Connector/Sabre/CustomPropertiesBackend.php
@@ -327,7 +327,7 @@ class CustomPropertiesBackend implements BackendInterface {
 
 		$result = $this->connection->executeQuery(
 			$sql,
-			array($this->user, rtrim($path, '/') . '/%', $requestedProperties),
+			array($this->user, $this->connection->escapeLikeParameter(rtrim($path, '/')) . '/%', $requestedProperties),
 			array(null, null, \Doctrine\DBAL\Connection::PARAM_STR_ARRAY)
 		);
author	Aaron Wood <aaronjwood@gmail.com>	2016-07-20 08:20:45 -0400
committer	Lukas Reschke <lukas@statuscode.ch>	2016-07-20 14:46:47 +0200
commit	7c0de08cc44e0b04f23d6f3fa2d6030991935c54 (patch)
tree	8a680779c0e7a661a8f1f3d2f998e8cbe543c3da /apps/dav
parent	b37e1ed17f54916e3321427d92afa3f74ebea1b3 (diff)
download	nextcloud-server-7c0de08cc44e0b04f23d6f3fa2d6030991935c54.tar.gz nextcloud-server-7c0de08cc44e0b04f23d6f3fa2d6030991935c54.zip