mirror of
https://mau.dev/maunium/synapse.git
synced 2024-10-01 01:36:05 -04:00
Use true/false for boolean parameter inclusive to avoid potential for sqli, and possibly make the code clearer
This commit is contained in:
parent
0fb76c71ac
commit
d44d11d864
@ -86,7 +86,7 @@ class EventPushActionsStore(SQLBaseStore):
|
|||||||
" user_id = ?"
|
" user_id = ?"
|
||||||
" AND room_id = ?"
|
" AND room_id = ?"
|
||||||
" AND %s"
|
" AND %s"
|
||||||
) % (lower_bound(token, self.database_engine, inclusive=""),)
|
) % (lower_bound(token, self.database_engine, inclusive=False),)
|
||||||
|
|
||||||
txn.execute(sql, (user_id, room_id))
|
txn.execute(sql, (user_id, room_id))
|
||||||
row = txn.fetchone()
|
row = txn.fetchone()
|
||||||
|
@ -55,7 +55,8 @@ _STREAM_TOKEN = "stream"
|
|||||||
_TOPOLOGICAL_TOKEN = "topological"
|
_TOPOLOGICAL_TOKEN = "topological"
|
||||||
|
|
||||||
|
|
||||||
def lower_bound(token, engine, inclusive=""):
|
def lower_bound(token, engine, inclusive=False):
|
||||||
|
inclusive = "=" if inclusive else ""
|
||||||
if token.topological is None:
|
if token.topological is None:
|
||||||
return "(%d <%s %s)" % (token.stream, inclusive, "stream_ordering")
|
return "(%d <%s %s)" % (token.stream, inclusive, "stream_ordering")
|
||||||
else:
|
else:
|
||||||
@ -74,7 +75,8 @@ def lower_bound(token, engine, inclusive=""):
|
|||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
def upper_bound(token, engine, inclusive="="):
|
def upper_bound(token, engine, inclusive=True):
|
||||||
|
inclusive = "=" if inclusive else ""
|
||||||
if token.topological is None:
|
if token.topological is None:
|
||||||
return "(%d >%s %s)" % (token.stream, inclusive, "stream_ordering")
|
return "(%d >%s %s)" % (token.stream, inclusive, "stream_ordering")
|
||||||
else:
|
else:
|
||||||
@ -616,13 +618,13 @@ class StreamStore(SQLBaseStore):
|
|||||||
"SELECT topological_ordering, stream_ordering, event_id FROM events"
|
"SELECT topological_ordering, stream_ordering, event_id FROM events"
|
||||||
" WHERE room_id = ? AND %s"
|
" WHERE room_id = ? AND %s"
|
||||||
" ORDER BY topological_ordering DESC, stream_ordering DESC LIMIT ?"
|
" ORDER BY topological_ordering DESC, stream_ordering DESC LIMIT ?"
|
||||||
) % (upper_bound(token, self.database_engine, inclusive=""),)
|
) % (upper_bound(token, self.database_engine, inclusive=False),)
|
||||||
|
|
||||||
query_after = (
|
query_after = (
|
||||||
"SELECT topological_ordering, stream_ordering, event_id FROM events"
|
"SELECT topological_ordering, stream_ordering, event_id FROM events"
|
||||||
" WHERE room_id = ? AND %s"
|
" WHERE room_id = ? AND %s"
|
||||||
" ORDER BY topological_ordering ASC, stream_ordering ASC LIMIT ?"
|
" ORDER BY topological_ordering ASC, stream_ordering ASC LIMIT ?"
|
||||||
) % (lower_bound(token, self.database_engine, inclusive=""),)
|
) % (lower_bound(token, self.database_engine, inclusive=False),)
|
||||||
|
|
||||||
txn.execute(query_before, (room_id, before_limit))
|
txn.execute(query_before, (room_id, before_limit))
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user