fix(core): only escape "%" with the SQL LIKE operator

Alinto · Feb 21, 2022 · 2389e44 · 2389e44
1 parent 9bffee2
commit 2389e44
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 20 deletions.
diff --git a/SoObjects/Appointments/SOGoAppointmentFolder.m b/SoObjects/Appointments/SOGoAppointmentFolder.m
@@ -1,5 +1,5 @@
 /*
-  Copyright (C) 2007-2014 Inverse inc.
+  Copyright (C) 2007-2022 Inverse inc.
   Copyright (C) 2004-2005 SKYRIX Software AG
 
   This file is part of SOGo.
@@ -795,7 +795,7 @@ - (NSArray *) bareFetchFields: (NSArray *) fields
   if ([title length])
     [baseWhere
       addObject: [NSString stringWithFormat: @"c_title isCaseInsensitiveLike: '%%%@%%'",
-                           [title asSafeSQLString]]];
+                           [title asSafeSQLLikeString]]];
 
   if (component)
     {
@@ -1532,14 +1532,14 @@ - (NSArray *)    fetchFields: (NSArray *) _fields
               if ([filters isEqualToString:@"title_Category_Location"] || [filters isEqualToString:@"entireContent"])
                 {
                   [baseWhere addObject: [NSString stringWithFormat: @"(c_title isCaseInsensitiveLike: '%%%@%%' OR c_category isCaseInsensitiveLike: '%%%@%%' OR c_location isCaseInsensitiveLike: '%%%@%%')",
-                                                  [title asSafeSQLString],
-                                                  [title asSafeSQLString],
-                                                  [title asSafeSQLString]]];
+                                                  [title asSafeSQLLikeString],
+                                                  [title asSafeSQLLikeString],
+                                                  [title asSafeSQLLikeString]]];
                 }
             }
           else
             [baseWhere addObject: [NSString stringWithFormat: @"c_title isCaseInsensitiveLike: '%%%@%%'",
-                                            [title asSafeSQLString]]];
+                                            [title asSafeSQLLikeString]]];
         }
 
       /* prepare mandatory fields */

diff --git a/SoObjects/Contacts/SOGoContactGCSFolder.m b/SoObjects/Contacts/SOGoContactGCSFolder.m
@@ -1,5 +1,5 @@
 /*
-  Copyright (C) 2006-2013 Inverse inc.
+  Copyright (C) 2006-2022 Inverse inc.
   Copyright (C) 2004-2005 SKYRIX Software AG
 
   This file is part of SOGo.
@@ -178,7 +178,7 @@ - (EOQualifier *) _qualifierForFilter: (NSString *) filter
 
   if ([filter length] > 0)
     {
-      filter = [filter asSafeSQLString];
+      filter = [filter asSafeSQLLikeString];
       if ([criteria isEqualToString: @"name_or_address"])
         qs = [NSString stringWithFormat:
                          @"(c_sn isCaseInsensitiveLike: '%%%@%%') OR "
@@ -281,7 +281,7 @@ - (NSDictionary *) lookupContactWithName: (NSString *) aName
   if (aName && [aName length] > 0)
     {
       aName = [aName asSafeSQLString];
-      qs = [NSString stringWithFormat: @"(c_name='%@')", aName];
+      qs = [NSString stringWithFormat: @"(c_name = '%@')", aName];
       qualifier = [EOQualifier qualifierWithQualifierFormat: qs];
       dbRecords = [[self ocsFolder] fetchFields: folderListingFields
 			      matchingQualifier: qualifier];

diff --git a/SoObjects/SOGo/NSString+Utilities.h b/SoObjects/SOGo/NSString+Utilities.h
@@ -1,6 +1,6 @@
 /* NSString+Utilities.h - this file is part of SOGo
  *
- * Copyright (C) 2006-2015 Inverse inc.
+ * Copyright (C) 2006-2022 Inverse inc.
  *
  * This file is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -51,6 +51,7 @@
 
 /* SQL safety */
 - (NSString *) asSafeSQLString;
+- (NSString *) asSafeSQLLikeString;
 
 /* Unicode safety */
 - (NSString *) safeString;

diff --git a/SoObjects/SOGo/NSString+Utilities.m b/SoObjects/SOGo/NSString+Utilities.m
@@ -1,6 +1,6 @@
 /* NSString+Utilities.m - this file is part of SOGo
  *
- * Copyright (C) 2006-2015 Inverse inc.
+ * Copyright (C) 2006-2022 Inverse inc.
  *
  * This file is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -688,9 +688,13 @@ - (id) objectFromJSONString
 
 - (NSString *) asSafeSQLString
 {
-  return [[[self stringByReplacingString: @"\\" withString: @"\\\\"]
-           stringByReplacingString: @"'" withString: @"\\'"]
-	   stringByReplacingString: @"\%" withString: @"\\%"];
+  return [[self stringByReplacingString: @"\\" withString: @"\\\\"]
+           stringByReplacingString: @"'" withString: @"\\'"];
+}
+
+- (NSString *) asSafeSQLLikeString
+{
+  return [[self asSafeSQLString] stringByReplacingString: @"\%" withString: @"\\%"];
 }
 
 - (NSUInteger) countOccurrencesOfString: (NSString *) substring

diff --git a/SoObjects/SOGo/SOGoGCSFolder.m b/SoObjects/SOGo/SOGoGCSFolder.m
@@ -1,7 +1,7 @@
 /* SOGoGCSFolder.m - this file is part of SOGo
  *
  * Copyright (C) 2004-2005 SKYRIX Software AG
- * Copyright (C) 2006-2014 Inverse inc.
+ * Copyright (C) 2006-2022 Inverse inc.
  *
  * This file is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -1929,8 +1929,8 @@ - (NSArray *) _fetchComponentsWithNames: (NSArray *) cNames
   if (sqlFilter)
     {
       filterString = [NSMutableString stringWithCapacity: 8192];
-      [filterString appendFormat: @"(c_name='%@')",
-                    [cNames componentsJoinedByString: @"' OR c_name='"]];
+      [filterString appendFormat: @"(c_name = '%@')",
+                    [cNames componentsJoinedByString: @"' OR c_name = '"]];
       if ([sqlFilter length] > 0)
         [filterString appendFormat: @" AND (%@)", sqlFilter];
       qualifier = [EOQualifier qualifierWithQualifierFormat: filterString];
@@ -1972,8 +1972,7 @@ - (NSArray *) _fetchComponentsMatchingObjectNames: (NSArray *) cNames
     {
       currentName = [[cNames objectAtIndex: count] asSafeSQLString];
       queryNameLength = idQueryOverhead + [currentName length];
-      if ((currentSize + queryNameLength)
-	  > maxQuerySize)
+      if ((currentSize + queryNameLength) > maxQuerySize)
 	{
 	  records = [self _fetchComponentsWithNames: currentNames fields: fields];
 	  [components addObjectsFromArray: records];

diff --git a/SoObjects/SOGo/SQLSource.m b/SoObjects/SOGo/SQLSource.m
@@ -776,7 +776,7 @@ - (NSArray *) fetchContactsMatching: (NSString *) filter
   if (channel)
     {
       lowerFilter = [filter lowercaseString];
-      lowerFilter = [lowerFilter stringByReplacingString: @"'"  withString: @"''"];
+      lowerFilter = [lowerFilter asSafeSQLLikeString];
 
       sql = [NSMutableString stringWithFormat: (@"SELECT *"
                                          @" FROM %@"