diff options
author | Alexey Shchepin <alexey@process-one.net> | 2016-05-12 18:32:13 +0300 |
---|---|---|
committer | Alexey Shchepin <alexey@process-one.net> | 2016-05-13 17:56:48 +0300 |
commit | 792f47b4bd3c4f423fd25c31b5f8ae82ac59b28b (patch) | |
tree | aed1938b1868878cc3463ada565c8ad05b9c05e6 /src/node_pep_sql.erl | |
parent | Fix C2S session data leak (#1078) (diff) |
Update SQL escaping
Diffstat (limited to 'src/node_pep_sql.erl')
-rw-r--r-- | src/node_pep_sql.erl | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/src/node_pep_sql.erl b/src/node_pep_sql.erl index c5b31d15f..1f2c13d5c 100644 --- a/src/node_pep_sql.erl +++ b/src/node_pep_sql.erl @@ -114,20 +114,21 @@ set_affiliation(Nidx, Owner, Affiliation) -> get_entity_subscriptions(_Host, Owner) -> SubKey = jid:tolower(Owner), GenKey = jid:remove_resource(SubKey), - Host = node_flat_sql:encode_host(element(2, SubKey)), + HostLike = node_flat_sql:encode_host_like(element(2, SubKey)), SJ = node_flat_sql:encode_jid(SubKey), GJ = node_flat_sql:encode_jid(GenKey), + GJLike = node_flat_sql:encode_jid_like(GenKey), Query = case SubKey of GenKey -> [<<"select host, node, type, i.nodeid, jid, " "subscriptions from pubsub_state i, pubsub_node n " "where i.nodeid = n.nodeid and jid " - "like '">>, GJ, <<"%' and host like '%@">>, Host, <<"';">>]; + "like '">>, GJLike, <<"%' escape '^' and host like '%@">>, HostLike, <<"' escape '^';">>]; _ -> [<<"select host, node, type, i.nodeid, jid, " "subscriptions from pubsub_state i, pubsub_node n " "where i.nodeid = n.nodeid and jid " - "in ('">>, SJ, <<"', '">>, GJ, <<"') and host like '%@">>, Host, <<"';">>] + "in ('">>, SJ, <<"', '">>, GJ, <<"') and host like '%@">>, HostLike, <<"' escape '^';">>] end, Reply = case catch ejabberd_sql:sql_query_t(Query) of {selected, @@ -149,9 +150,10 @@ get_entity_subscriptions(_Host, Owner) -> get_entity_subscriptions_for_send_last(_Host, Owner) -> SubKey = jid:tolower(Owner), GenKey = jid:remove_resource(SubKey), - Host = node_flat_sql:encode_host(element(2, SubKey)), + HostLike = node_flat_sql:encode_host_like(element(2, SubKey)), SJ = node_flat_sql:encode_jid(SubKey), GJ = node_flat_sql:encode_jid(GenKey), + GJLike = node_flat_sql:encode_jid_like(GenKey), Query = case SubKey of GenKey -> [<<"select host, node, type, i.nodeid, jid, " @@ -159,14 +161,14 @@ get_entity_subscriptions_for_send_last(_Host, Owner) -> "pubsub_node_option o where i.nodeid = n.nodeid " "and n.nodeid = o.nodeid and name='send_last_published_item' and " "val='on_sub_and_presence' and jid like '">>, - GJ, <<"%' and host like '%@">>, Host, <<"';">>]; + GJLike, <<"%' escape '^' and host like '%@">>, HostLike, <<"' escape '^';">>]; _ -> [<<"select host, node, type, i.nodeid, jid, " "subscriptions from pubsub_state i, pubsub_node n, " "pubsub_node_option o where i.nodeid = n.nodeid " "and n.nodeid = o.nodeid and name='send_last_published_item' and " "val='on_sub_and_presence' and jid in ", - "('">>, SJ, <<"', '">>, GJ, <<"') and host like '%@">>, Host, <<"';">>] + "('">>, SJ, <<"', '">>, GJ, <<"') and host like '%@">>, HostLike, <<"' escape '^';">>] end, Reply = case catch ejabberd_sql:sql_query_t(Query) of {selected, |