Skip to content

Commit 810b62d

Browse files
gizmocuzgizmocuz
authored
Merge pull request #1569 from wez3/master
Sanitizer user input #3
2 parents cdbdf79 + 46dc646 commit 810b62d

File tree

1 file changed

+33
-21
lines changed

1 file changed

+33
-21
lines changed

main/WebServer.cpp

Lines changed: 33 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -8000,11 +8000,18 @@ namespace http {
80008000
}
80018001

80028002
char szOrderBy[50];
8003-
if (order == "")
8003+
std::string szQuery;
8004+
bool isAlpha = true;
8005+
const std::string orderBy = order.c_str();
8006+
for(int i = 0; i < orderBy.size(); i++) {
8007+
if( !isalpha(orderBy[i])) {
8008+
isAlpha = false;
8009+
}
8010+
}
8011+
if (order.empty() || (!isAlpha)) {
80048012
strcpy(szOrderBy, "A.[Order],A.LastUpdate DESC");
8005-
else
8006-
{
8007-
sprintf(szOrderBy, "A.[Order],A.%s ASC", order.c_str());
8013+
} else {
8014+
sprintf(szOrderBy, "A.[Order],A.%%s ASC");
80088015
}
80098016

80108017
unsigned char tempsign = m_sql.m_tempsign[0];
@@ -8065,14 +8072,16 @@ namespace http {
80658072
" WHERE (C.FloorplanID=='%q') AND (C.ID==B.PlanID) AND (B.DeviceRowID==a.ID)"
80668073
" AND (B.DevSceneType==1) ORDER BY B.[Order]",
80678074
floorID.c_str());
8068-
else
8069-
result = m_sql.safe_query(
8075+
else {
8076+
szQuery = (
80708077
"SELECT A.ID, A.Name, A.nValue, A.LastUpdate, A.Favorite, A.SceneType,"
80718078
" A.Protected, B.XOffset, B.YOffset, B.PlanID, A.Description"
80728079
" FROM Scenes as A"
80738080
" LEFT OUTER JOIN DeviceToPlansMap as B ON (B.DeviceRowID==a.ID) AND (B.DevSceneType==1)"
8074-
" ORDER BY %q",
8075-
szOrderBy);
8081+
" ORDER BY ");
8082+
szQuery += szOrderBy;
8083+
result = m_sql.safe_query(szQuery.c_str(), order.c_str());
8084+
}
80768085

80778086
if (result.size() > 0)
80788087
{
@@ -8236,15 +8245,15 @@ namespace http {
82368245
bAllowDeviceToBeHidden = true;
82378246
}
82388247

8239-
if (order == "")
8248+
if (order.empty() || (!isAlpha))
82408249
strcpy(szOrderBy, "A.[Order],A.LastUpdate DESC");
82418250
else
82428251
{
8243-
sprintf(szOrderBy, "A.[Order],A.%s ASC", order.c_str());
8252+
sprintf(szOrderBy, "A.[Order],A.%%s ASC");
82448253
}
82458254
//_log.Log(LOG_STATUS, "Getting all devices: order by %s ", szOrderBy);
82468255
if (hardwareid != "") {
8247-
result = m_sql.safe_query(
8256+
szQuery = (
82488257
"SELECT A.ID, A.DeviceID, A.Unit, A.Name, A.Used,A.Type, A.SubType,"
82498258
" A.SignalLevel, A.BatteryLevel, A.nValue, A.sValue,"
82508259
" A.LastUpdate, A.Favorite, A.SwitchType, A.HardwareID,"
@@ -8255,11 +8264,12 @@ namespace http {
82558264
"FROM DeviceStatus as A LEFT OUTER JOIN DeviceToPlansMap as B "
82568265
"ON (B.DeviceRowID==a.ID) AND (B.DevSceneType==0) "
82578266
"WHERE (A.HardwareID == %q) "
8258-
"ORDER BY %q",
8259-
hardwareid.c_str(), szOrderBy);
8267+
"ORDER BY ");
8268+
szQuery += szOrderBy;
8269+
result = m_sql.safe_query(szQuery.c_str(), hardwareid.c_str(), order.c_str());
82608270
}
82618271
else {
8262-
result = m_sql.safe_query(
8272+
szQuery = (
82638273
"SELECT A.ID, A.DeviceID, A.Unit, A.Name, A.Used,A.Type, A.SubType,"
82648274
" A.SignalLevel, A.BatteryLevel, A.nValue, A.sValue,"
82658275
" A.LastUpdate, A.Favorite, A.SwitchType, A.HardwareID,"
@@ -8269,8 +8279,9 @@ namespace http {
82698279
" A.Options "
82708280
"FROM DeviceStatus as A LEFT OUTER JOIN DeviceToPlansMap as B "
82718281
"ON (B.DeviceRowID==a.ID) AND (B.DevSceneType==0) "
8272-
"ORDER BY %q",
8273-
szOrderBy);
8282+
"ORDER BY ");
8283+
szQuery += szOrderBy;
8284+
result = m_sql.safe_query(szQuery.c_str(), order.c_str());
82748285
}
82758286
}
82768287
}
@@ -8351,14 +8362,14 @@ namespace http {
83518362
bAllowDeviceToBeHidden = true;
83528363
}
83538364

8354-
if (order == "")
8365+
if (order.empty() || (!isAlpha))
83558366
strcpy(szOrderBy, "A.[Order],A.LastUpdate DESC");
83568367
else
83578368
{
8358-
sprintf(szOrderBy, "A.[Order],A.%s ASC", order.c_str());
8369+
sprintf(szOrderBy, "A.[Order],A.%%s ASC");
83598370
}
83608371
// _log.Log(LOG_STATUS, "Getting all devices for user %lu", m_users[iUser].ID);
8361-
result = m_sql.safe_query(
8372+
szQuery = (
83628373
"SELECT A.ID, A.DeviceID, A.Unit, A.Name, A.Used,"
83638374
" A.Type, A.SubType, A.SignalLevel, A.BatteryLevel,"
83648375
" A.nValue, A.sValue, A.LastUpdate, A.Favorite,"
@@ -8371,8 +8382,9 @@ namespace http {
83718382
"FROM DeviceStatus as A, SharedDevices as B "
83728383
"LEFT OUTER JOIN DeviceToPlansMap as C ON (C.DeviceRowID==A.ID)"
83738384
"WHERE (B.DeviceRowID==A.ID)"
8374-
" AND (B.SharedUserID==%lu) ORDER BY %q",
8375-
m_users[iUser].ID, szOrderBy);
8385+
" AND (B.SharedUserID==%lu) ORDER BY ");
8386+
szQuery += szOrderBy;
8387+
result = m_sql.safe_query(szQuery.c_str(), m_users[iUser].ID, order.c_str());
83768388
}
83778389
}
83788390

0 commit comments

Comments
 (0)