Merge pull request #56 from d-Rickyy-b/dev

Update version to 1.0.12
d-Rickyy-b · Feb 20, 2019 · 9009874 · 9009874
2 parents aa1fe98 + b41ecd9
commit 9009874
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 4 deletions.
diff --git a/pastepwn/database/mysqldb.py b/pastepwn/database/mysqldb.py
@@ -13,6 +13,7 @@ def __init__(self, ip="127.0.0.1", port=3306, unix_socket=None, dbname="pastepwn
         self.logger = logging.getLogger(__name__)
         self.logger.debug("Initializing MySQLDB - {0}:{1}".format(ip, port))
 
+        # https://dev.mysql.com/doc/connector-python/en/connector-python-connectargs.html
         if unix_socket:
             self.db = mysql.connector.connect(
                 host=ip,
@@ -32,11 +33,23 @@ def __init__(self, ip="127.0.0.1", port=3306, unix_socket=None, dbname="pastepwn
             )
 
         self.cursor = self.db.cursor()
+        # self._create_db(dbname) # Not used because of possible SQLI
         self._create_tables()
 
         self.logger.debug("Connected to database!")
 
+    def _create_db(self, dbname):
+        # Currently I found no other way to insert the database name into the sql statement
+        # With the following code a simple SQL Injection would be possible - question is, why would a user do this to his own database?
+        # Nevertheless I don't want to put this into production that way. I'll keep the code but remove the call to it.
+        self.logger.info("Creating database '{0}' (if not exists)".format(self.dbname))
+        self.cursor.execute("""CREATE DATABASE IF NOT EXISTS %s;""" % self.dbname)
+        self.cursor.execute("""USE %s;""" % self.dbname)
+        self.db.commit()
+
     def _create_tables(self):
+        # Although the length of 'key' should never exceed 8 chars,
+        # making it longer prevents from future issues.
         self.cursor.execute("""CREATE TABLE IF NOT EXISTS `pastes` (
                                     `key` VARCHAR(30) NOT NULL UNIQUE,
                                     `title` TEXT,
@@ -67,7 +80,7 @@ def _insert_data(self, paste):
         self.db.commit()
 
     def _get_data(self, key, value):
-        pass
+        raise NotImplementedError
 
     def count(self, key, value):
         # TODO add filter to counting

diff --git a/pastepwn/database/sqlitedb.py b/pastepwn/database/sqlitedb.py
@@ -34,7 +34,7 @@ def __init__(self, dbpath="pastepwn"):
     def _create_tables(self):
         open(self.dbpath, "a").close()
 
-        self.cursor.execute("""CREATE TABLE 'pastes' (
+        self.cursor.execute("""CREATE TABLE IF NOT EXISTS 'pastes' (
                             'key'	TEXT NOT NULL UNIQUE,
                             'title'	TEXT,
                             'user'	TEXT,

diff --git a/pastepwn/version.py b/pastepwn/version.py
@@ -1 +1 @@
-__version__ = '1.0.10'
+__version__ = '1.0.12'
diff --git a/pastepwn/version.txt b/pastepwn/version.txt
@@ -1 +1 @@
-1.0.11
+1.0.12