copyleftie
/
gajim-plural
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

use prepared statements in all SQL queries that contains jids to prevent SQL injection. Fixes #7034

This commit is contained in:
Yann Leboulanger 2011-11-08 22:00:52 +01:00
parent 93683a8c54
commit 23327c834d
1 changed files with 41 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
src/common/logger.py
View File

@ -569,7 +569,7 @@ class Logger:
except exceptions.PysqliteOperationalError, e:
# Error trying to create a new jid_id. This means there is no log
return []
where_sql = self._build_contact_where(account, jid)
where_sql, jid_tuple = self._build_contact_where(account, jid)
now = int(float(time.time()))
timed_out = now - (timeout * 60) # before that they are too old
@ -577,14 +577,13 @@ class Logger:
# 3 - 8 (we avoid the last 2 lines but we still return 5 asked)
try:
self.cur.execute('''
SELECT time, kind, message FROM logs
WHERE (%s) AND kind IN (%d, %d, %d, %d, %d) AND time > %d
ORDER BY time DESC LIMIT %d OFFSET %d
''' % (where_sql, constants.KIND_SINGLE_MSG_RECV,
constants.KIND_CHAT_MSG_RECV, constants.KIND_SINGLE_MSG_SENT,
constants.KIND_CHAT_MSG_SENT, constants.KIND_ERROR,
timed_out, restore_how_many_rows, pending_how_many)
)
SELECT time, kind, message FROM logs
WHERE (%s) AND kind IN (%d, %d, %d, %d, %d) AND time > %d
ORDER BY time DESC LIMIT %d OFFSET %d
''' % (where_sql, constants.KIND_SINGLE_MSG_RECV,
constants.KIND_CHAT_MSG_RECV, constants.KIND_SINGLE_MSG_SENT,
constants.KIND_CHAT_MSG_SENT, constants.KIND_ERROR, timed_out,
restore_how_many_rows, pending_how_many), jid_tuple)
results = self.cur.fetchall()
except sqlite.DatabaseError:
@ -614,18 +613,18 @@ class Logger:
except exceptions.PysqliteOperationalError, e:
# Error trying to create a new jid_id. This means there is no log
return []
where_sql = self._build_contact_where(account, jid)
where_sql, jid_tuple = self._build_contact_where(account, jid)
start_of_day = self.get_unix_time_from_date(year, month, day)
seconds_in_a_day = 86400 # 60 * 60 * 24
last_second_of_day = start_of_day + seconds_in_a_day - 1
self.cur.execute('''
SELECT contact_name, time, kind, show, message, subject FROM logs
WHERE (%s)
AND time BETWEEN %d AND %d
ORDER BY time
''' % (where_sql, start_of_day, last_second_of_day))
SELECT contact_name, time, kind, show, message, subject FROM logs
WHERE (%s)
AND time BETWEEN %d AND %d
ORDER BY time
''' % (where_sql, start_of_day, last_second_of_day), jid_tuple)
results = self.cur.fetchall()
return results
@ -651,13 +650,13 @@ class Logger:
return results
else: # user just typed something, we search in message column
where_sql = self._build_contact_where(account, jid)
where_sql, jid_tuple = self._build_contact_where(account, jid)
like_sql = '%' + query.replace("'", "''") + '%'
self.cur.execute('''
SELECT contact_name, time, kind, show, message, subject FROM logs
WHERE (%s) AND message LIKE '%s'
ORDER BY time
''' % (where_sql, like_sql))
SELECT contact_name, time, kind, show, message, subject FROM logs
WHERE (%s) AND message LIKE '%s'
ORDER BY time
''' % (where_sql, like_sql), jid_tuple)
results = self.cur.fetchall()
return results
@ -672,7 +671,7 @@ class Logger:
# Error trying to create a new jid_id. This means there is no log
return []
days_with_logs = []
where_sql = self._build_contact_where(account, jid)
where_sql, jid_tuple = self._build_contact_where(account, jid)
# First select all date of month whith logs we want
start_of_month = self.get_unix_time_from_date(year, month, 1)
@ -684,13 +683,13 @@ class Logger:
# and take only one of the same values (distinct)
# Now we have timestamps of time 0:00 of every day with logs
self.cur.execute('''
SELECT DISTINCT time/(86400)*86400 FROM logs
WHERE (%s)
AND time BETWEEN %d AND %d
AND kind NOT IN (%d, %d)
ORDER BY time
''' % (where_sql, start_of_month, last_second_of_month,
constants.KIND_STATUS, constants.KIND_GCSTATUS))
SELECT DISTINCT time/(86400)*86400 FROM logs
WHERE (%s)
AND time BETWEEN %d AND %d
AND kind NOT IN (%d, %d)
ORDER BY time
''' % (where_sql, start_of_month, last_second_of_month,
constants.KIND_STATUS, constants.KIND_GCSTATUS), jid_tuple)
result = self.cur.fetchall()
# convert timestamps to day of month
@ -706,19 +705,21 @@ class Logger:
"""
where_sql = ''
if not is_room:
where_sql = self._build_contact_where(account, jid)
where_sql, jid_tuple = self._build_contact_where(account, jid)
else:
try:
jid_id = self.get_jid_id(jid, 'ROOM')
except exceptions.PysqliteOperationalError, e:
# Error trying to create a new jid_id. This means there is no log
return None
where_sql = 'jid_id = %s' % jid_id
where_sql = 'jid_id = ?'
jid_tuple = (jid_id,)
self.cur.execute('''
SELECT MAX(time) FROM logs
WHERE (%s)
AND kind NOT IN (%d, %d)
''' % (where_sql, constants.KIND_STATUS, constants.KIND_GCSTATUS))
SELECT MAX(time) FROM logs
WHERE (%s)
AND kind NOT IN (%d, %d)
''' % (where_sql, constants.KIND_STATUS, constants.KIND_GCSTATUS),
jid_tuple)
results = self.cur.fetchone()
if results is not None:
@ -766,6 +767,7 @@ class Logger:
Build the where clause for a jid, including metacontacts jid(s) if any
"""
where_sql = ''
jid_tuple = ()
# will return empty list if jid is not associated with
# any metacontacts
family = gajim.contacts.get_metacontacts_family(account, jid)
@ -775,13 +777,15 @@ class Logger:
jid_id = self.get_jid_id(user['jid'])
except exceptions.PysqliteOperationalError, e:
continue
where_sql += 'jid_id = %s' % jid_id
where_sql += 'jid_id = ?'
jid_tuple += (jid_id,)
if user != family[-1]:
where_sql += ' OR '
else: # if jid was not associated with metacontacts
jid_id = self.get_jid_id(jid)
where_sql = 'jid_id = %s' % jid_id
return where_sql
where_sql = 'jid_id = ?'
jid_tuple += (jid_id,)
return where_sql, jid_tuple
def save_transport_type(self, jid, type_):
"""