Merge pull request #9867 from owncloud/fix_sharing_update

fix sharing update, add proper escaping
author: Björn Schießle <schiessle@owncloud.com> 2014-07-25 10:16:22 +0200
committer: Björn Schießle <schiessle@owncloud.com> 2014-07-25 10:16:22 +0200
commit: 40f2a34be113db75cd26166de35e9ba3076e4cf3 (patch)
tree: 39f7d3b2dbf78e25df8fc84b471f936e08e81354 /apps
parent: 3f58d949e012c68a01b9d4603c32244811196939 (diff)
parent: c22b5c78841c4ea4924bd30cad68528761611107 (diff)
download: nextcloud-server-40f2a34be113db75cd26166de35e9ba3076e4cf3.tar.gz
nextcloud-server-40f2a34be113db75cd26166de35e9ba3076e4cf3.zip
2 files changed, 5 insertions, 2 deletions
diff --git a/apps/files_sharing/appinfo/update.php b/apps/files_sharing/appinfo/update.php
index fc547ba349d..72acdbac736 100644
--- a/apps/files_sharing/appinfo/update.php
+++ b/apps/files_sharing/appinfo/update.php
@@ -32,6 +32,7 @@ function updateFilePermissions($chunkSize = 99) {
 		}
 	}
 
+	$connection = \OC_DB::getConnection();
 	$chunkedPermissionList = array_chunk($updatedRows, $chunkSize, true);
 
 	foreach ($chunkedPermissionList as $subList) {
@@ -39,7 +40,7 @@ function updateFilePermissions($chunkSize = 99) {
 		//update share table
 		$ids = implode(',', array_keys($subList));
 		foreach ($subList as $id => $permission) {
-			$statement .= "WHEN " . $id . " THEN " . $permission . " ";
+			$statement .= "WHEN " . $connection->quote($id, \PDO::PARAM_INT) . " THEN " . $permission . " ";
 		}
 		$statement .= ' END WHERE `id` IN (' . $ids . ')';
 
@@ -95,6 +96,7 @@ function removeSharedFolder($mkdirs = true, $chunkSize = 99) {
 		}
 
 		$chunkedShareList = array_chunk($shares, $chunkSize, true);
+		$connection = \OC_DB::getConnection();
 
 		foreach ($chunkedShareList as $subList) {
 
@@ -102,7 +104,7 @@ function removeSharedFolder($mkdirs = true, $chunkSize = 99) {
 			//update share table
 			$ids = implode(',', array_keys($subList));
 			foreach ($subList as $id => $target) {
-				$statement .= "WHEN " . $id . " THEN '/Shared" . $target . "' ";
+				$statement .= "WHEN " . $connection->quote($id, \PDO::PARAM_INT) . " THEN " . $connection->quote('/Shared' . $target, \PDO::PARAM_STR);
 			}
 			$statement .= ' END WHERE `id` IN (' . $ids . ')';
 
diff --git a/apps/files_sharing/tests/update.php b/apps/files_sharing/tests/update.php
index 86b92b69616..d3555cc2ee3 100644
--- a/apps/files_sharing/tests/update.php
+++ b/apps/files_sharing/tests/update.php
@@ -176,6 +176,7 @@ class Test_Files_Sharing_Update_Routine extends Test_Files_Sharing_Base {
 			array(\OCP\Share::SHARE_TYPE_USER, 'folder', 'user2', 'admin', '/foo2'),
 			array(\OCP\Share::SHARE_TYPE_USER, 'file', 'user3', 'admin', '/foo3'),
 			array(\OCP\Share::SHARE_TYPE_USER, 'folder', 'user4', 'admin', '/foo4'),
+			array(\OCP\Share::SHARE_TYPE_USER, 'folder', 'user4', 'admin', "/foo'4"),
 			array(\OCP\Share::SHARE_TYPE_LINK, 'file', 'user1', 'admin', '/ShouldNotChange'),
 			array(\OCP\Share::SHARE_TYPE_CONTACT, 'contact', 'admin', 'user1', '/ShouldNotChange'),
author	Björn Schießle <schiessle@owncloud.com>	2014-07-25 10:16:22 +0200
committer	Björn Schießle <schiessle@owncloud.com>	2014-07-25 10:16:22 +0200
commit	40f2a34be113db75cd26166de35e9ba3076e4cf3 (patch)
tree	39f7d3b2dbf78e25df8fc84b471f936e08e81354 /apps
parent	3f58d949e012c68a01b9d4603c32244811196939 (diff)
parent	c22b5c78841c4ea4924bd30cad68528761611107 (diff)
download	nextcloud-server-40f2a34be113db75cd26166de35e9ba3076e4cf3.tar.gz nextcloud-server-40f2a34be113db75cd26166de35e9ba3076e4cf3.zip