[rss] Implement a dirty hack to solve injection problems

Closes issue sopel-irc#198 for the time being, but module needs a rewrite for 4.0
maxpowa · Mar 4, 2013 · c022df3 · c022df3
1 parent 98764e2
commit c022df3
Showing 1 changed file with 10 additions and 5 deletions.
diff --git a/rss.py b/rss.py
@@ -16,11 +16,16 @@
 socket.setdefaulttimeout(10)
 INTERVAL = 10  # seconds between checking for new updates
 STOP = False
+#This is reset in setup().
+SUB = ('%s',)
 
 
 def checkdb(cursor):
     cursor.execute("CREATE TABLE IF NOT EXISTS rss ( channel text, site_name text, site_url text, fg text, bg text)")
 
+def setup(willie):
+    global SUB
+    SUB = (willie.db.substitution,)
 
 def manage_rss(willie, trigger):
     """ .rss operation channel site_name url -- operation can be either 'add', 'del', or 'list' no further operators needed if 'list' used """
@@ -66,19 +71,19 @@ def manage_rss(willie, trigger):
             fg_colour = fg_colour.zfill(2)
         if bg_colour:
             bg_colour = bg_colour.zfill(2)
-        c.execute('INSERT INTO rss VALUES ("%s","%s","%s","%s","%s")' % (channel, site_name, site_url, fg_colour, bg_colour))
+        c.execute('INSERT INTO rss VALUES ("%s","%s","%s","%s","%s")' % sub*5, (channel, site_name, site_url, fg_colour, bg_colour))
         conn.commit()
         c.close()
         willie.reply("Successfully added values to database.")
     elif len(text) == 3 and text[1] == 'del':
         # .rss del ##channel
-        c.execute('DELETE FROM rss WHERE channel = "%s"' % channel)
+        c.execute('DELETE FROM rss WHERE channel = "%s"' % SUB, channel)
         conn.commit()
         c.close()
         willie.reply("Successfully removed values from database.")
     elif len(text) >= 4 and text[1] == 'del':
         # .rss del ##channel Site_Name
-        c.execute('DELETE FROM rss WHERE channel = "%s" and site_name = "%s"', (channel, " ".join(text[3:])))
+        c.execute('DELETE FROM rss WHERE channel = "%s" and site_name = "%s"' % SUB*2, (channel, " ".join(text[3:])))
         conn.commit()
         c.close()
         willie.reply("Successfully removed the site from the given channel.")
@@ -149,7 +154,7 @@ def read_feeds(willie):
 
         # only print if new entry
         sql_text = (feed_channel, feed_site_name, entry.title, article_url)
-        cur.execute('SELECT * FROM recent WHERE channel = "%s" AND site_name = "%s" and article_title = "%s" AND article_url = "%s"' % sql_text)
+        cur.execute('SELECT * FROM recent WHERE channel = "%s" AND site_name = "%s" and article_title = "%s" AND article_url = "%s"' % SUB*4, sql_text)
         if len(cur.fetchall()) < 1:
 
             response = site_name_effect + " %s \x02%s\x02" % (entry.title, article_url)
@@ -159,7 +164,7 @@ def read_feeds(willie):
             willie.msg(feed_channel, response)
 
             t = (feed_channel, feed_site_name, entry.title, article_url,)
-            cur.execute('INSERT INTO recent VALUES ("%s", "%s", "%s", "%s")' % t)
+            cur.execute('INSERT INTO recent VALUES ("%s", "%s", "%s", "%s")' % SUB*4, t)
             conn.commit()
         else:
             if DEBUG: