amorfo77/sogo
1
0
Fork 0
mirror of https://github.com/inverse-inc/sogo.git synced 2026-04-28 16:29:30 +00:00
Code Issues Projects Releases Wiki Activity

(fix) make sure we safely escape all chars

Browse Source
This commit is contained in:
Ludovic Marcotte
2016-12-09 10:45:44 -05:00
parent b0fcaeef86
commit 340ddf0ae6
3 changed files with 12 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
SoObjects/Appointments/SOGoAppointmentFolder.m
View File

@@ -696,7 +696,7 @@ static Class iCalEventK = nil;
if ([title length])
[baseWhere
addObject: [NSString stringWithFormat: @"c_title isCaseInsensitiveLike: '%%%@%%'",
[title stringByReplacingString: @"'" withString: @"\\'\\'"]]];
[title asSafeSQLString]]];
if (component)
{
@@ -1436,14 +1436,14 @@ firstInstanceCalendarDateRange: (NGCalendarDateRange *) fir
if ([filters isEqualToString:@"title_Category_Location"] || [filters isEqualToString:@"entireContent"])
{
[baseWhere addObject: [NSString stringWithFormat: @"(c_title isCaseInsensitiveLike: '%%%@%%' OR c_category isCaseInsensitiveLike: '%%%@%%' OR c_location isCaseInsensitiveLike: '%%%@%%')",
[title stringByReplacingString: @"'" withString: @"\\'\\'"],
[title stringByReplacingString: @"'" withString: @"\\'\\'"],
[title stringByReplacingString: @"'" withString: @"\\'\\'"]]];
[title asSafeSQLString],
[title asSafeSQLString],
[title asSafeSQLString]]];
}
}
else
[baseWhere addObject: [NSString stringWithFormat: @"c_title isCaseInsensitiveLike: '%%%@%%'",
[title stringByReplacingString: @"'" withString: @"\\'\\'"]]];
[title asSafeSQLString]]];
}
/* prepare mandatory fields */
@@ -2619,7 +2619,7 @@ firstInstanceCalendarDateRange: (NGCalendarDateRange *) fir
if (uid && folder)
{
qualifier = [EOQualifier qualifierWithQualifierFormat: @"c_uid = %@",
uid];
[uid asSafeSQLString]];
records = [folder fetchFields: nameFields matchingQualifier: qualifier];
count = [records count];
if (count)

8
SoObjects/Contacts/SOGoContactGCSFolder.m
View File

@@ -121,7 +121,7 @@ static NSArray *folderListingFields = nil;
NSString *component;
Class objectClass;
qualifier = [EOQualifier qualifierWithQualifierFormat:@"c_name = %@", name];
qualifier = [EOQualifier qualifierWithQualifierFormat: @"c_name = %@", [name asSafeSQLString]];
records = [[self ocsFolder] fetchFields: [NSArray arrayWithObject: @"c_component"]
matchingQualifier: qualifier];
@@ -190,8 +190,7 @@ static NSArray *folderListingFields = nil;
if ([filter length] > 0)
{
filter = [[filter stringByReplacingString: @"\\" withString: @"\\\\"]
stringByReplacingString: @"'" withString: @"\\'\\'"];
filter = [filter asSafeSQLString];
if ([criteria isEqualToString: @"name_or_address"])
qs = [NSString stringWithFormat:
@"(c_sn isCaseInsensitiveLike: '%%%@%%') OR "
@@ -338,8 +337,7 @@ static NSArray *folderListingFields = nil;
if (aName && [aName length] > 0)
{
aName = [[aName stringByReplacingString: @"\\" withString: @"\\\\"]
stringByReplacingString: @"'" withString: @"\\'\\'"];
aName = [aName asSafeSQLString];
qs = [NSString stringWithFormat: @"(c_name='%@')", aName];
qualifier = [EOQualifier qualifierWithQualifierFormat: qs];
dbRecords = [[self ocsFolder] fetchFields: folderListingFields

5
SoObjects/SOGo/NSString+Utilities.m
View File

@@ -684,8 +684,9 @@ static int cssEscapingCount;
- (NSString *) asSafeSQLString
{
return [[self stringByReplacingString: @"\\" withString: @"\\\\"]
stringByReplacingString: @"'" withString: @"\\'"];
return [[[self stringByReplacingString: @"\\" withString: @"\\\\"]
stringByReplacingString: @"'" withString: @"\\'"]
stringByReplacingString: @"\%" withString: @"\\%"];
}
- (NSUInteger) countOccurrencesOfString: (NSString *) substring