From 08478732d0c235c70ac26c3d39bb000fae383387 Mon Sep 17 00:00:00 2001 From: Daniel Date: Sun, 20 Dec 2020 19:31:05 +1300 Subject: [PATCH] use sql parameters to insert file names fixes sql injection issues --- openlp/plugins/images/lib/upgrade.py | 9 ++++----- openlp/plugins/songs/lib/upgrade.py | 5 ++--- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/openlp/plugins/images/lib/upgrade.py b/openlp/plugins/images/lib/upgrade.py index addd41f20..42f10e35e 100644 --- a/openlp/plugins/images/lib/upgrade.py +++ b/openlp/plugins/images/lib/upgrade.py @@ -60,9 +60,8 @@ def upgrade_2(session, metadata): data_path = AppLocation.get_data_path() for row in results.fetchall(): file_path_json = json.dumps(Path(row.filename), cls=OpenLPJSONEncoder, base_path=data_path) - sql = 'UPDATE image_filenames SET file_path = \'{file_path_json}\' WHERE id = {id}'.format( - file_path_json=file_path_json, id=row.id) - conn.execute(sql) + sql = 'UPDATE image_filenames SET file_path = :file_path_json WHERE id = :id' + conn.execute(sql, {'file_path_json': file_path_json, 'id': row.id}) # Drop old columns if metadata.bind.url.get_dialect().name == 'sqlite': drop_columns(op, 'image_filenames', ['filename', ]) @@ -91,8 +90,8 @@ def upgrade_3(session, metadata): log.warning('{image} does not exists, so no sha256 hash added.'.format(image=str(file_path))) # set a fake "hash" to allow for the upgrade to go through. The image will be marked as invalid hash = 'NONE' - sql = 'UPDATE image_filenames SET file_hash = \'{hash}\' WHERE id = {id}'.format(hash=hash, id=row.id) - conn.execute(sql) + sql = 'UPDATE image_filenames SET file_hash = :hash WHERE id = :id' + conn.execute(sql, {'hash': hash, 'id': row.id}) # rename thumbnail to use file hash ext = file_path.suffix.lower() old_thumb = thumb_path / '{name:d}{ext}'.format(name=row.id, ext=ext) diff --git a/openlp/plugins/songs/lib/upgrade.py b/openlp/plugins/songs/lib/upgrade.py index f500d9c90..b15067b3c 100644 --- a/openlp/plugins/songs/lib/upgrade.py +++ b/openlp/plugins/songs/lib/upgrade.py @@ -182,9 +182,8 @@ def upgrade_7(session, metadata): data_path = AppLocation.get_data_path() for row in results.fetchall(): file_path_json = json.dumps(Path(row.file_name), cls=OpenLPJSONEncoder, base_path=data_path) - sql = 'UPDATE media_files SET file_path = \'{file_path_json}\' WHERE id = {id}'.format( - file_path_json=file_path_json, id=row.id) - conn.execute(sql) + sql = 'UPDATE media_files SET file_path = :file_path WHERE id = :id' + conn.execute(sql, {'file_path': file_path_json, 'id': row.id}) # Drop old columns if metadata.bind.url.get_dialect().name == 'sqlite': drop_columns(op, 'media_files', ['file_name', ])