raoul/openlp
1
0
Fork 0
forked from openlp/openlp
Code Issues Pull Requests Projects Releases Wiki Activity

use sql parameters to insert file names

Browse Source 
fixes sql injection issues
This commit is contained in:
Daniel 2020-12-20 19:31:05 +13:00
parent ddc6e276a3
commit 08478732d0
2 changed files with 6 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
openlp/plugins/images/lib/upgrade.py
View File

@ -60,9 +60,8 @@ def upgrade_2(session, metadata):
data_path = AppLocation.get_data_path() data_path = AppLocation.get_data_path()
for row in results.fetchall(): for row in results.fetchall():
file_path_json = json.dumps(Path(row.filename), cls=OpenLPJSONEncoder, base_path=data_path) file_path_json = json.dumps(Path(row.filename), cls=OpenLPJSONEncoder, base_path=data_path)
sql = 'UPDATE image_filenames SET file_path = \'{file_path_json}\' WHERE id = {id}'.format( sql = 'UPDATE image_filenames SET file_path = :file_path_json WHERE id = :id'
file_path_json=file_path_json, id=row.id) conn.execute(sql, {'file_path_json': file_path_json, 'id': row.id})
conn.execute(sql)
# Drop old columns # Drop old columns
if metadata.bind.url.get_dialect().name == 'sqlite': if metadata.bind.url.get_dialect().name == 'sqlite':
drop_columns(op, 'image_filenames', ['filename', ]) drop_columns(op, 'image_filenames', ['filename', ])
@ -91,8 +90,8 @@ def upgrade_3(session, metadata):
log.warning('{image} does not exists, so no sha256 hash added.'.format(image=str(file_path))) log.warning('{image} does not exists, so no sha256 hash added.'.format(image=str(file_path)))
# set a fake "hash" to allow for the upgrade to go through. The image will be marked as invalid # set a fake "hash" to allow for the upgrade to go through. The image will be marked as invalid
hash = 'NONE' hash = 'NONE'
sql = 'UPDATE image_filenames SET file_hash = \'{hash}\' WHERE id = {id}'.format(hash=hash, id=row.id) sql = 'UPDATE image_filenames SET file_hash = :hash WHERE id = :id'
conn.execute(sql) conn.execute(sql, {'hash': hash, 'id': row.id})
# rename thumbnail to use file hash # rename thumbnail to use file hash
ext = file_path.suffix.lower() ext = file_path.suffix.lower()
old_thumb = thumb_path / '{name:d}{ext}'.format(name=row.id, ext=ext) old_thumb = thumb_path / '{name:d}{ext}'.format(name=row.id, ext=ext)

5
openlp/plugins/songs/lib/upgrade.py
View File

@ -182,9 +182,8 @@ def upgrade_7(session, metadata):
data_path = AppLocation.get_data_path() data_path = AppLocation.get_data_path()
for row in results.fetchall(): for row in results.fetchall():
file_path_json = json.dumps(Path(row.file_name), cls=OpenLPJSONEncoder, base_path=data_path) file_path_json = json.dumps(Path(row.file_name), cls=OpenLPJSONEncoder, base_path=data_path)
sql = 'UPDATE media_files SET file_path = \'{file_path_json}\' WHERE id = {id}'.format( sql = 'UPDATE media_files SET file_path = :file_path WHERE id = :id'
file_path_json=file_path_json, id=row.id) conn.execute(sql, {'file_path': file_path_json, 'id': row.id})
conn.execute(sql)
# Drop old columns # Drop old columns
if metadata.bind.url.get_dialect().name == 'sqlite': if metadata.bind.url.get_dialect().name == 'sqlite':
drop_columns(op, 'media_files', ['file_name', ]) drop_columns(op, 'media_files', ['file_name', ])