fix(core): only escape "%" with the SQL LIKE operator

2026-05-23 04:15:26 +00:00 · 2022-01-31 14:51:26 -05:00
parent 9bffee269d
commit 2389e44513
6 changed files with 24 additions and 20 deletions
@@ -1,5 +1,5 @@
 /*
-  Copyright (C) 2007-2014 Inverse inc.
+  Copyright (C) 2007-2022 Inverse inc.
  Copyright (C) 2004-2005 SKYRIX Software AG

  This file is part of SOGo.
@@ -795,7 +795,7 @@ static Class iCalEventK = nil;
  if ([title length])
    [baseWhere
      addObject: [NSString stringWithFormat: @"c_title isCaseInsensitiveLike: '%%%@%%'",
-                           [title asSafeSQLString]]];
+                           [title asSafeSQLLikeString]]];

  if (component)
    {
@@ -1532,14 +1532,14 @@ firstInstanceCalendarDateRange: (NGCalendarDateRange *) fir
              if ([filters isEqualToString:@"title_Category_Location"] || [filters isEqualToString:@"entireContent"])
                {
                  [baseWhere addObject: [NSString stringWithFormat: @"(c_title isCaseInsensitiveLike: '%%%@%%' OR c_category isCaseInsensitiveLike: '%%%@%%' OR c_location isCaseInsensitiveLike: '%%%@%%')",
-                                                  [title asSafeSQLString],
-                                                  [title asSafeSQLString],
-                                                  [title asSafeSQLString]]];
+                                                  [title asSafeSQLLikeString],
+                                                  [title asSafeSQLLikeString],
+                                                  [title asSafeSQLLikeString]]];
                }
            }
          else
            [baseWhere addObject: [NSString stringWithFormat: @"c_title isCaseInsensitiveLike: '%%%@%%'",
-                                            [title asSafeSQLString]]];
+                                            [title asSafeSQLLikeString]]];
        }
      
      /* prepare mandatory fields */
@@ -1,5 +1,5 @@
 /*
-  Copyright (C) 2006-2013 Inverse inc.
+  Copyright (C) 2006-2022 Inverse inc.
  Copyright (C) 2004-2005 SKYRIX Software AG

  This file is part of SOGo.
@@ -178,7 +178,7 @@ static NSArray *folderListingFields = nil;

  if ([filter length] > 0)
    {
-      filter = [filter asSafeSQLString];
+      filter = [filter asSafeSQLLikeString];
      if ([criteria isEqualToString: @"name_or_address"])
        qs = [NSString stringWithFormat:
                         @"(c_sn isCaseInsensitiveLike: '%%%@%%') OR "
@@ -281,7 +281,7 @@ static NSArray *folderListingFields = nil;
  if (aName && [aName length] > 0)
    {
      aName = [aName asSafeSQLString];
-      qs = [NSString stringWithFormat: @"(c_name='%@')", aName];
+      qs = [NSString stringWithFormat: @"(c_name = '%@')", aName];
      qualifier = [EOQualifier qualifierWithQualifierFormat: qs];
      dbRecords = [[self ocsFolder] fetchFields: folderListingFields
 			      matchingQualifier: qualifier];
@@ -1,6 +1,6 @@
 /* NSString+Utilities.h - this file is part of SOGo
 *
- * Copyright (C) 2006-2015 Inverse inc.
+ * Copyright (C) 2006-2022 Inverse inc.
 *
 * This file is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -51,6 +51,7 @@

 /* SQL safety */
 - (NSString *) asSafeSQLString;
+- (NSString *) asSafeSQLLikeString;

 /* Unicode safety */
 - (NSString *) safeString;
@@ -1,6 +1,6 @@
 /* NSString+Utilities.m - this file is part of SOGo
 *
- * Copyright (C) 2006-2015 Inverse inc.
+ * Copyright (C) 2006-2022 Inverse inc.
 *
 * This file is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -688,9 +688,13 @@ static int cssEscapingCount;

 - (NSString *) asSafeSQLString
 {
-  return [[[self stringByReplacingString: @"\\" withString: @"\\\\"]
-           stringByReplacingString: @"'" withString: @"\\'"]
-	   stringByReplacingString: @"\%" withString: @"\\%"];
+  return [[self stringByReplacingString: @"\\" withString: @"\\\\"]
+           stringByReplacingString: @"'" withString: @"\\'"];
+}
+
+- (NSString *) asSafeSQLLikeString
+{
+  return [[self asSafeSQLString] stringByReplacingString: @"\%" withString: @"\\%"];
 }

 - (NSUInteger) countOccurrencesOfString: (NSString *) substring
@@ -1,7 +1,7 @@
 /* SOGoGCSFolder.m - this file is part of SOGo
 *
 * Copyright (C) 2004-2005 SKYRIX Software AG
- * Copyright (C) 2006-2014 Inverse inc.
+ * Copyright (C) 2006-2022 Inverse inc.
 *
 * This file is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
@@ -1929,8 +1929,8 @@ static NSArray *childRecordFields = nil;
  if (sqlFilter)
    {
      filterString = [NSMutableString stringWithCapacity: 8192];
-      [filterString appendFormat: @"(c_name='%@')",
-                    [cNames componentsJoinedByString: @"' OR c_name='"]];
+      [filterString appendFormat: @"(c_name = '%@')",
+                    [cNames componentsJoinedByString: @"' OR c_name = '"]];
      if ([sqlFilter length] > 0)
        [filterString appendFormat: @" AND (%@)", sqlFilter];
      qualifier = [EOQualifier qualifierWithQualifierFormat: filterString];
@@ -1972,8 +1972,7 @@ static NSArray *childRecordFields = nil;
    {
      currentName = [[cNames objectAtIndex: count] asSafeSQLString];
      queryNameLength = idQueryOverhead + [currentName length];
-      if ((currentSize + queryNameLength)
-	  > maxQuerySize)
+      if ((currentSize + queryNameLength) > maxQuerySize)
 	{
 	  records = [self _fetchComponentsWithNames: currentNames fields: fields];
 	  [components addObjectsFromArray: records];
@@ -776,7 +776,7 @@
  if (channel)
    {
      lowerFilter = [filter lowercaseString];
-      lowerFilter = [lowerFilter stringByReplacingString: @"'"  withString: @"''"];
+      lowerFilter = [lowerFilter asSafeSQLLikeString];

      sql = [NSMutableString stringWithFormat: (@"SELECT *"
                                         @" FROM %@"