diff options
| author | Vincent Petry <pvince81@owncloud.com> | 2016-10-19 16:47:08 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-10-19 16:47:08 +0300 |
| commit | ed468d5c1ef91ccc91f30cb569dee2c668e43b7c (patch) | |
| tree | b8cd92d0b6b051f968b73f83c9270849c686bcd2 | |
| parent | a9e8b7dd08b2cc39b5a914ec40dd65af02279f66 (diff) | |
| parent | ab92c20d65b385e6df3aba90fade7a90028a3d22 (diff) | |
Merge pull request #26409 from owncloud/stable9-36d6f3ba8b7b7db8f4d8b2a70504fd184a30cc50
[stable9] Escape special characters (#25429)
| -rw-r--r-- | apps/dav/lib/connector/sabre/custompropertiesbackend.php | 2 | ||||
| -rw-r--r-- | apps/user_ldap/lib/access.php | 2 | ||||
| -rw-r--r-- | apps/user_ldap/lib/mapping/abstractmapping.php | 4 | ||||
| -rw-r--r-- | apps/user_ldap/tests/mapping/abstractmappingtest.php | 2 | ||||
| -rw-r--r-- | lib/private/group/database.php | 4 | ||||
| -rw-r--r-- | lib/private/repair/repairlegacystorages.php | 2 |
6 files changed, 8 insertions, 8 deletions
diff --git a/apps/dav/lib/connector/sabre/custompropertiesbackend.php b/apps/dav/lib/connector/sabre/custompropertiesbackend.php index 5946c9910d4..9c0136bece4 100644 --- a/apps/dav/lib/connector/sabre/custompropertiesbackend.php +++ b/apps/dav/lib/connector/sabre/custompropertiesbackend.php @@ -327,7 +327,7 @@ class CustomPropertiesBackend implements BackendInterface { $result = $this->connection->executeQuery( $sql, - array($this->user, rtrim($path, '/') . '/%', $requestedProperties), + array($this->user, $this->connection->escapeLikeParameter(rtrim($path, '/')) . '/%', $requestedProperties), array(null, null, \Doctrine\DBAL\Connection::PARAM_STR_ARRAY) ); diff --git a/apps/user_ldap/lib/access.php b/apps/user_ldap/lib/access.php index dd4aeee3b24..0e9342afce7 100644 --- a/apps/user_ldap/lib/access.php +++ b/apps/user_ldap/lib/access.php @@ -621,7 +621,7 @@ class Access extends LDAPUtility implements user\IUserTools { * "Developers" */ private function _createAltInternalOwnCloudNameForGroups($name) { - $usedNames = $this->groupMapper->getNamesBySearch($name.'_%'); + $usedNames = $this->groupMapper->getNamesBySearch($name, "", '_%'); if(!($usedNames) || count($usedNames) === 0) { $lastNo = 1; //will become name_2 } else { diff --git a/apps/user_ldap/lib/mapping/abstractmapping.php b/apps/user_ldap/lib/mapping/abstractmapping.php index 1c896a9bbf4..d260e57e9b2 100644 --- a/apps/user_ldap/lib/mapping/abstractmapping.php +++ b/apps/user_ldap/lib/mapping/abstractmapping.php @@ -140,14 +140,14 @@ abstract class AbstractMapping { * @param string $search * @return string[] */ - public function getNamesBySearch($search) { + public function getNamesBySearch($search, $prefixMatch = "", $postfixMatch = "") { $query = $this->dbc->prepare(' SELECT `owncloud_name` FROM `'. $this->getTableName() .'` WHERE `owncloud_name` LIKE ? '); - $res = $query->execute(array($search)); + $res = $query->execute(array($prefixMatch.$this->dbc->escapeLikeParameter($search).$postfixMatch)); $names = array(); if($res !== false) { while($row = $query->fetch()) { diff --git a/apps/user_ldap/tests/mapping/abstractmappingtest.php b/apps/user_ldap/tests/mapping/abstractmappingtest.php index c6427be516b..6582e5c3014 100644 --- a/apps/user_ldap/tests/mapping/abstractmappingtest.php +++ b/apps/user_ldap/tests/mapping/abstractmappingtest.php @@ -162,7 +162,7 @@ abstract class AbstractMappingTest extends \Test\TestCase { public function testSearch() { list($mapper,) = $this->initTest(); - $names = $mapper->getNamesBySearch('%oo%'); + $names = $mapper->getNamesBySearch('oo', '%', '%'); $this->assertTrue(is_array($names)); $this->assertSame(2, count($names)); $this->assertTrue(in_array('Foobar', $names)); diff --git a/lib/private/group/database.php b/lib/private/group/database.php index 9ea0bbb8242..503c29b99c0 100644 --- a/lib/private/group/database.php +++ b/lib/private/group/database.php @@ -294,7 +294,7 @@ class OC_Group_Database extends OC_Group_Backend { $parameters = [$gid]; $searchLike = ''; if ($search !== '') { - $parameters[] = '%' . $search . '%'; + $parameters[] = '%' . $this->dbConn->escapeLikeParameter($search) . '%'; $searchLike = ' AND `uid` LIKE ?'; } @@ -320,7 +320,7 @@ class OC_Group_Database extends OC_Group_Backend { $parameters = [$gid]; $searchLike = ''; if ($search !== '') { - $parameters[] = '%' . $search . '%'; + $parameters[] = '%' . $this->dbConn->escapeLikeParameter($search) . '%'; $searchLike = ' AND `uid` LIKE ?'; } diff --git a/lib/private/repair/repairlegacystorages.php b/lib/private/repair/repairlegacystorages.php index ee189110a87..1442a3d1a7a 100644 --- a/lib/private/repair/repairlegacystorages.php +++ b/lib/private/repair/repairlegacystorages.php @@ -170,7 +170,7 @@ class RepairLegacyStorages extends BasicEmitter { $sql = 'SELECT `id`, `numeric_id` FROM `*PREFIX*storages`' . ' WHERE `id` LIKE ?' . ' ORDER BY `id`'; - $result = $this->connection->executeQuery($sql, array($dataDirId . '%')); + $result = $this->connection->executeQuery($sql, array($this->connection->escapeLikeParameter($dataDirId) . '%')); while ($row = $result->fetch()) { $currentId = $row['id']; |