using table name sanitation function to ensure no weird characters are used by accident (e.g. by oddly configured table prefix)
This commit is contained in:
parent
3b3b5277eb
commit
c33c50f775
@ -1,7 +1,6 @@
|
|||||||
{
|
{
|
||||||
"name": "privatebin/privatebin",
|
"name": "privatebin/privatebin",
|
||||||
"description": "PrivateBin is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bit AES in Galois Counter mode.",
|
"description": "PrivateBin is a minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bit AES in Galois Counter mode.",
|
||||||
"version": "0.22",
|
|
||||||
"repositories": [
|
"repositories": [
|
||||||
{
|
{
|
||||||
"type": "vcs",
|
"type": "vcs",
|
||||||
|
@ -606,7 +606,7 @@ class privatebin_db extends privatebin_abstract
|
|||||||
*/
|
*/
|
||||||
private static function _sanitizeIdentifier($identifier)
|
private static function _sanitizeIdentifier($identifier)
|
||||||
{
|
{
|
||||||
return self::$_prefix . preg_replace('/[^A-Za-z0-9_]+/', '', $identifier);
|
return preg_replace('/[^A-Za-z0-9_]+/', '', self::$_prefix . $identifier);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -624,45 +624,42 @@ class privatebin_db extends privatebin_abstract
|
|||||||
case '0.21':
|
case '0.21':
|
||||||
// create the meta column if necessary (pre 0.21 change)
|
// create the meta column if necessary (pre 0.21 change)
|
||||||
try {
|
try {
|
||||||
self::$_db->exec('SELECT meta FROM ' . self::$_prefix . 'paste LIMIT 1;');
|
self::$_db->exec('SELECT meta FROM ' . self::_sanitizeIdentifier('paste') . ' LIMIT 1;');
|
||||||
} catch (PDOException $e) {
|
} catch (PDOException $e) {
|
||||||
self::$_db->exec('ALTER TABLE ' . self::$_prefix . 'paste ADD COLUMN meta TEXT;');
|
self::$_db->exec('ALTER TABLE ' . self::_sanitizeIdentifier('paste') . ' ADD COLUMN meta TEXT;');
|
||||||
}
|
}
|
||||||
// SQLite only allows one ALTER statement at a time...
|
// SQLite only allows one ALTER statement at a time...
|
||||||
self::$_db->exec(
|
self::$_db->exec(
|
||||||
'ALTER TABLE ' . self::$_prefix . 'paste ADD COLUMN attachment MEDIUMBLOB;'
|
'ALTER TABLE ' . self::_sanitizeIdentifier('paste') . ' ADD COLUMN attachment MEDIUMBLOB;'
|
||||||
);
|
);
|
||||||
self::$_db->exec(
|
self::$_db->exec(
|
||||||
'ALTER TABLE ' . self::$_prefix . 'paste ADD COLUMN attachmentname BLOB;'
|
'ALTER TABLE ' . self::_sanitizeIdentifier('paste') . ' ADD COLUMN attachmentname BLOB;'
|
||||||
);
|
);
|
||||||
// SQLite doesn't support MODIFY, but it allows TEXT of similar
|
// SQLite doesn't support MODIFY, but it allows TEXT of similar
|
||||||
// size as BLOB, so there is no need to change it there
|
// size as BLOB, so there is no need to change it there
|
||||||
if (self::$_type !== 'sqlite')
|
if (self::$_type !== 'sqlite')
|
||||||
{
|
{
|
||||||
self::$_db->exec(
|
self::$_db->exec(
|
||||||
'ALTER TABLE ' . self::$_prefix . 'paste ' .
|
'ALTER TABLE ' . self::_sanitizeIdentifier('paste') .
|
||||||
'ADD PRIMARY KEY (dataid),' .
|
' ADD PRIMARY KEY (dataid), MODIFY COLUMN data BLOB;'
|
||||||
'MODIFY COLUMN data BLOB;'
|
|
||||||
);
|
);
|
||||||
self::$_db->exec(
|
self::$_db->exec(
|
||||||
'ALTER TABLE ' . self::$_prefix . 'comment ' .
|
'ALTER TABLE ' . self::_sanitizeIdentifier('comment') .
|
||||||
'ADD PRIMARY KEY (dataid),' .
|
' ADD PRIMARY KEY (dataid), MODIFY COLUMN data BLOB, ' .
|
||||||
'MODIFY COLUMN data BLOB, ' .
|
'MODIFY COLUMN nickname BLOB, MODIFY COLUMN vizhash BLOB;'
|
||||||
'MODIFY COLUMN nickname BLOB, ' .
|
|
||||||
'MODIFY COLUMN vizhash BLOB;'
|
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
self::$_db->exec(
|
self::$_db->exec(
|
||||||
'CREATE UNIQUE INDEX primary ON ' . self::$_prefix . 'paste(dataid);'
|
'CREATE UNIQUE INDEX primary ON ' . self::_sanitizeIdentifier('paste') . '(dataid);'
|
||||||
);
|
);
|
||||||
self::$_db->exec(
|
self::$_db->exec(
|
||||||
'CREATE UNIQUE INDEX primary ON ' . self::$_prefix . 'comment(dataid);'
|
'CREATE UNIQUE INDEX primary ON ' . self::_sanitizeIdentifier('comment') . '(dataid);'
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
self::$_db->exec(
|
self::$_db->exec(
|
||||||
'CREATE INDEX parent ON ' . self::$_prefix . 'comment(pasteid);'
|
'CREATE INDEX parent ON ' . self::_sanitizeIdentifier('comment') . '(pasteid);'
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user