fix(core): only escape "%" with the SQL LIKE operator

Alinto · Jan 31, 2022 · 7c81e3a · 7c81e3a
1 parent 88b0b6a
commit 7c81e3a
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 20 deletions.
diff --git a/SoObjects/Appointments/SOGoAppointmentFolder.m b/SoObjects/Appointments/SOGoAppointmentFolder.m
@@ -1,5 +1,5 @@
 /*
-  Copyright (C) 2007-2019 Inverse inc.
+  Copyright (C) 2007-2022 Inverse inc.
   Copyright (C) 2004-2005 SKYRIX Software AG
 
   This file is part of SOGo.
@@ -794,7 +794,7 @@ - (NSArray *) bareFetchFields: (NSArray *) fields
   if ([title length])
     [baseWhere
       addObject: [NSString stringWithFormat: @"c_title isCaseInsensitiveLike: '%%%@%%'",
-                           [title asSafeSQLString]]];
+                           [title asSafeSQLLikeString]]];
 
   if (component)
     {
@@ -1577,14 +1577,14 @@ - (NSArray *)    fetchFields: (NSArray *) _fields
               if ([filters isEqualToString:@"title_Category_Location"] || [filters isEqualToString:@"entireContent"])
                 {
                   [baseWhere addObject: [NSString stringWithFormat: @"(c_title isCaseInsensitiveLike: '%%%@%%' OR c_category isCaseInsensitiveLike: '%%%@%%' OR c_location isCaseInsensitiveLike: '%%%@%%')",
-                                                  [title asSafeSQLString],
-                                                  [title asSafeSQLString],
-                                                  [title asSafeSQLString]]];
+                                                  [title asSafeSQLLikeString],
+                                                  [title asSafeSQLLikeString],
+                                                  [title asSafeSQLLikeString]]];
                 }
             }
           else
             [baseWhere addObject: [NSString stringWithFormat: @"c_title isCaseInsensitiveLike: '%%%@%%'",
-                                            [title asSafeSQLString]]];
+                                            [title asSafeSQLLikeString]]];
         }
 
       /* prepare mandatory fields */

diff --git a/SoObjects/Contacts/SOGoContactGCSFolder.m b/SoObjects/Contacts/SOGoContactGCSFolder.m
@@ -1,5 +1,5 @@
 /*
-  Copyright (C) 2006-2019 Inverse inc.
+  Copyright (C) 2006-2022 Inverse inc.
 
   This file is part of SOGo.
 
@@ -208,7 +208,7 @@ - (EOQualifier *) qualifierForFilter: (NSString *) filter
   qualifier = nil;
   if ([filter length] > 0)
     {
-      filter = [filter asSafeSQLString];
+      filter = [filter asSafeSQLLikeString];
       filters = [NSMutableArray array];
       filterFormat = [NSString stringWithFormat: @"(%%@ isCaseInsensitiveLike: '%%%%%@%%%%')", filter];
       if (criteria)
@@ -356,7 +356,7 @@ - (NSDictionary *) lookupContactWithName: (NSString *) aName
   if (aName && [aName length] > 0)
     {
       aName = [aName asSafeSQLString];
-      qs = [NSString stringWithFormat: @"(c_name='%@')", aName];
+      qs = [NSString stringWithFormat: @"(c_name = '%@')", aName];
       qualifier = [EOQualifier qualifierWithQualifierFormat: qs];
       dbRecords = [[self ocsFolder] fetchFields: folderListingFields
 			      matchingQualifier: qualifier];

diff --git a/SoObjects/SOGo/NSString+Utilities.h b/SoObjects/SOGo/NSString+Utilities.h
@@ -1,6 +1,6 @@
 /* NSString+Utilities.h - this file is part of SOGo
  *
- * Copyright (C) 2006-2019 Inverse inc.
+ * Copyright (C) 2006-2022 Inverse inc.
  *
  * This file is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -51,6 +51,7 @@
 
 /* SQL safety */
 - (NSString *) asSafeSQLString;
+- (NSString *) asSafeSQLLikeString;
 
 /* Unicode safety */
 - (NSString *) safeString;

diff --git a/SoObjects/SOGo/NSString+Utilities.m b/SoObjects/SOGo/NSString+Utilities.m
@@ -1,6 +1,6 @@
 /* NSString+Utilities.m - this file is part of SOGo
  *
- * Copyright (C) 2006-2019 Inverse inc.
+ * Copyright (C) 2006-2022 Inverse inc.
  *
  * This file is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -725,9 +725,13 @@ - (id) objectFromJSONString
 
 - (NSString *) asSafeSQLString
 {
-  return [[[self stringByReplacingString: @"\\" withString: @"\\\\"]
-           stringByReplacingString: @"'" withString: @"\\'"]
-	   stringByReplacingString: @"\%" withString: @"\\%"];
+  return [[self stringByReplacingString: @"\\" withString: @"\\\\"]
+           stringByReplacingString: @"'" withString: @"\\'"];
+}
+
+- (NSString *) asSafeSQLLikeString
+{
+  return [[self asSafeSQLString] stringByReplacingString: @"\%" withString: @"\\%"];
 }
 
 - (NSUInteger) countOccurrencesOfString: (NSString *) substring

diff --git a/SoObjects/SOGo/SOGoGCSFolder.m b/SoObjects/SOGo/SOGoGCSFolder.m
@@ -1,7 +1,7 @@
 /* SOGoGCSFolder.m - this file is part of SOGo
  *
  * Copyright (C) 2004-2005 SKYRIX Software AG
- * Copyright (C) 2006-2014 Inverse inc.
+ * Copyright (C) 2006-2022 Inverse inc.
  *
  * This file is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -1969,8 +1969,8 @@ - (NSArray *) _fetchComponentsWithNames: (NSArray *) cNames
   if (sqlFilter)
     {
       filterString = [NSMutableString stringWithCapacity: 8192];
-      [filterString appendFormat: @"(c_name='%@')",
-                    [cNames componentsJoinedByString: @"' OR c_name='"]];
+      [filterString appendFormat: @"(c_name = '%@')",
+                    [cNames componentsJoinedByString: @"' OR c_name = '"]];
       if ([sqlFilter length] > 0)
         [filterString appendFormat: @" AND (%@)", sqlFilter];
       qualifier = [EOQualifier qualifierWithQualifierFormat: filterString];
@@ -2012,8 +2012,7 @@ - (NSArray *) _fetchComponentsMatchingObjectNames: (NSArray *) cNames
     {
       currentName = [[cNames objectAtIndex: count] asSafeSQLString];
       queryNameLength = idQueryOverhead + [currentName length];
-      if ((currentSize + queryNameLength)
-	  > maxQuerySize)
+      if ((currentSize + queryNameLength) > maxQuerySize)
 	{
 	  records = [self _fetchComponentsWithNames: currentNames fields: fields];
 	  [components addObjectsFromArray: records];

diff --git a/SoObjects/SOGo/SQLSource.m b/SoObjects/SOGo/SQLSource.m
@@ -861,7 +861,7 @@ - (NSArray *) fetchContactsMatching: (NSString *) filter
           if ([filter length])
             {
               lowerFilter = [filter lowercaseString];
-              lowerFilter = [lowerFilter asSafeSQLString];
+              lowerFilter = [lowerFilter asSafeSQLLikeString];
               filterFormat = [NSString stringWithFormat: @"LOWER(%%@) LIKE '%%%%%@%%%%'", lowerFilter];
               if (criteria)
                 criteriaList = [criteria objectEnumerator];