From c022df36bfbee32d145c85b13fb28a8603ba5cf6 Mon Sep 17 00:00:00 2001 From: Edward Powell Date: Mon, 4 Mar 2013 18:29:02 -0500 Subject: [PATCH] [rss] Implement a dirty hack to solve injection problems Closes issue #198 for the time being, but module needs a rewrite for 4.0 --- rss.py | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/rss.py b/rss.py index a98592affd..87fde5b0b5 100644 --- a/rss.py +++ b/rss.py @@ -16,11 +16,16 @@ socket.setdefaulttimeout(10) INTERVAL = 10 # seconds between checking for new updates STOP = False +#This is reset in setup(). +SUB = ('%s',) def checkdb(cursor): cursor.execute("CREATE TABLE IF NOT EXISTS rss ( channel text, site_name text, site_url text, fg text, bg text)") +def setup(willie): + global SUB + SUB = (willie.db.substitution,) def manage_rss(willie, trigger): """ .rss operation channel site_name url -- operation can be either 'add', 'del', or 'list' no further operators needed if 'list' used """ @@ -66,19 +71,19 @@ def manage_rss(willie, trigger): fg_colour = fg_colour.zfill(2) if bg_colour: bg_colour = bg_colour.zfill(2) - c.execute('INSERT INTO rss VALUES ("%s","%s","%s","%s","%s")' % (channel, site_name, site_url, fg_colour, bg_colour)) + c.execute('INSERT INTO rss VALUES ("%s","%s","%s","%s","%s")' % sub*5, (channel, site_name, site_url, fg_colour, bg_colour)) conn.commit() c.close() willie.reply("Successfully added values to database.") elif len(text) == 3 and text[1] == 'del': # .rss del ##channel - c.execute('DELETE FROM rss WHERE channel = "%s"' % channel) + c.execute('DELETE FROM rss WHERE channel = "%s"' % SUB, channel) conn.commit() c.close() willie.reply("Successfully removed values from database.") elif len(text) >= 4 and text[1] == 'del': # .rss del ##channel Site_Name - c.execute('DELETE FROM rss WHERE channel = "%s" and site_name = "%s"', (channel, " ".join(text[3:]))) + c.execute('DELETE FROM rss WHERE channel = "%s" and site_name = "%s"' % SUB*2, (channel, " ".join(text[3:]))) conn.commit() c.close() willie.reply("Successfully removed the site from the given channel.") @@ -149,7 +154,7 @@ def read_feeds(willie): # only print if new entry sql_text = (feed_channel, feed_site_name, entry.title, article_url) - cur.execute('SELECT * FROM recent WHERE channel = "%s" AND site_name = "%s" and article_title = "%s" AND article_url = "%s"' % sql_text) + cur.execute('SELECT * FROM recent WHERE channel = "%s" AND site_name = "%s" and article_title = "%s" AND article_url = "%s"' % SUB*4, sql_text) if len(cur.fetchall()) < 1: response = site_name_effect + " %s \x02%s\x02" % (entry.title, article_url) @@ -159,7 +164,7 @@ def read_feeds(willie): willie.msg(feed_channel, response) t = (feed_channel, feed_site_name, entry.title, article_url,) - cur.execute('INSERT INTO recent VALUES ("%s", "%s", "%s", "%s")' % t) + cur.execute('INSERT INTO recent VALUES ("%s", "%s", "%s", "%s")' % SUB*4, t) conn.commit() else: if DEBUG: