Use true/false for boolean parameter inclusive to avoid potential for sqli, and possibly make the code clearer

This commit is contained in:
Mark Haines 2016-07-05 10:39:13 +01:00
parent 0fb76c71ac
commit d44d11d864
2 changed files with 7 additions and 5 deletions

View File

@ -86,7 +86,7 @@ class EventPushActionsStore(SQLBaseStore):
" user_id = ?" " user_id = ?"
" AND room_id = ?" " AND room_id = ?"
" AND %s" " AND %s"
) % (lower_bound(token, self.database_engine, inclusive=""),) ) % (lower_bound(token, self.database_engine, inclusive=False),)
txn.execute(sql, (user_id, room_id)) txn.execute(sql, (user_id, room_id))
row = txn.fetchone() row = txn.fetchone()

View File

@ -55,7 +55,8 @@ _STREAM_TOKEN = "stream"
_TOPOLOGICAL_TOKEN = "topological" _TOPOLOGICAL_TOKEN = "topological"
def lower_bound(token, engine, inclusive=""): def lower_bound(token, engine, inclusive=False):
inclusive = "=" if inclusive else ""
if token.topological is None: if token.topological is None:
return "(%d <%s %s)" % (token.stream, inclusive, "stream_ordering") return "(%d <%s %s)" % (token.stream, inclusive, "stream_ordering")
else: else:
@ -74,7 +75,8 @@ def lower_bound(token, engine, inclusive=""):
) )
def upper_bound(token, engine, inclusive="="): def upper_bound(token, engine, inclusive=True):
inclusive = "=" if inclusive else ""
if token.topological is None: if token.topological is None:
return "(%d >%s %s)" % (token.stream, inclusive, "stream_ordering") return "(%d >%s %s)" % (token.stream, inclusive, "stream_ordering")
else: else:
@ -616,13 +618,13 @@ class StreamStore(SQLBaseStore):
"SELECT topological_ordering, stream_ordering, event_id FROM events" "SELECT topological_ordering, stream_ordering, event_id FROM events"
" WHERE room_id = ? AND %s" " WHERE room_id = ? AND %s"
" ORDER BY topological_ordering DESC, stream_ordering DESC LIMIT ?" " ORDER BY topological_ordering DESC, stream_ordering DESC LIMIT ?"
) % (upper_bound(token, self.database_engine, inclusive=""),) ) % (upper_bound(token, self.database_engine, inclusive=False),)
query_after = ( query_after = (
"SELECT topological_ordering, stream_ordering, event_id FROM events" "SELECT topological_ordering, stream_ordering, event_id FROM events"
" WHERE room_id = ? AND %s" " WHERE room_id = ? AND %s"
" ORDER BY topological_ordering ASC, stream_ordering ASC LIMIT ?" " ORDER BY topological_ordering ASC, stream_ordering ASC LIMIT ?"
) % (lower_bound(token, self.database_engine, inclusive=""),) ) % (lower_bound(token, self.database_engine, inclusive=False),)
txn.execute(query_before, (room_id, before_limit)) txn.execute(query_before, (room_id, before_limit))