[banshee/gio-hardware] [RescanPipeline] Escape Uri val in SQL (bgo#624531)



commit 175397df4560bb6cdf72b7501d29e0c576763591
Author: Aaron Bockover <abockover novell com>
Date:   Sat Jul 17 18:35:24 2010 -0400

    [RescanPipeline] Escape Uri val in SQL (bgo#624531)
    
    The Uri LIKE match in the query was hard-coded, which allows for
    un-escaped user input. Use proper SQL parameters instead to ensure a
    safe query construction. Also use Hyena.StringUtil.EscapeLike.
    
    Signed-off-by: Gabriel Burt <gabriel burt gmail com>

 .../Banshee.Collection/RescanPipeline.cs           |   13 ++++++-------
 1 files changed, 6 insertions(+), 7 deletions(-)
---
diff --git a/src/Core/Banshee.Services/Banshee.Collection/RescanPipeline.cs b/src/Core/Banshee.Services/Banshee.Collection/RescanPipeline.cs
index d143a5a..9b4517c 100644
--- a/src/Core/Banshee.Services/Banshee.Collection/RescanPipeline.cs
+++ b/src/Core/Banshee.Services/Banshee.Collection/RescanPipeline.cs
@@ -100,19 +100,18 @@ namespace Banshee.Collection
             //Hyena.Log.DebugFormat ("Have {0} items before delete", ServiceManager.DbConnection.Query<int>("select count(*) from coretracks where primarysourceid=?", psource.DbId));
 
             // Delete tracks that are under the BaseDirectory and that weren't rescanned just now
-            string condition = String.Format (
-                "WHERE PrimarySourceID = ? AND Uri LIKE '{0}%' AND LastSyncedStamp IS NOT NULL AND LastSyncedStamp < ?",
-                new SafeUri (psource.BaseDirectoryWithSeparator).AbsoluteUri
-            );
+            string condition =
+                @"WHERE PrimarySourceID = ? AND Uri LIKE ? ESCAPE '\' AND LastSyncedStamp IS NOT NULL AND LastSyncedStamp < ?";
+            string uri = Hyena.StringUtil.EscapeLike (new SafeUri (psource.BaseDirectoryWithSeparator).AbsoluteUri) + "%";
 
             ServiceManager.DbConnection.Execute (String.Format (@"BEGIN;
                     DELETE FROM CorePlaylistEntries WHERE TrackID IN (SELECT TrackID FROM CoreTracks {0});
                     DELETE FROM CoreSmartPlaylistEntries WHERE TrackID IN (SELECT TrackID FROM CoreTracks {0});
                     DELETE FROM CoreTracks {0}; COMMIT",
                 condition),
-                psource.DbId, scan_started,
-                psource.DbId, scan_started,
-                psource.DbId, scan_started
+                psource.DbId, uri, scan_started,
+                psource.DbId, uri, scan_started,
+                psource.DbId, uri, scan_started
             );
 
             // TODO prune artists/albums



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]