From 7c0de08cc44e0b04f23d6f3fa2d6030991935c54 Mon Sep 17 00:00:00 2001
From: Aaron Wood <aaronjwood@gmail.com>
Date: Wed, 20 Jul 2016 08:20:45 -0400
Subject: [PATCH] Escape special characters (#25429)

* Escape LIKE parameter

* Escape LIKE parameter

* Escape LIKE parameter

* Escape LIKE parameter

* Escape LIKE parameter

* Use correct method in the AbstractMapping class

* Change the getNamesBySearch method so that input can be properly escaped while still supporting matches

* Don't escape hardcoded wildcard
---
 apps/dav/lib/Connector/Sabre/CustomPropertiesBackend.php | 2 +-
 apps/user_ldap/lib/Access.php                            | 2 +-
 apps/user_ldap/lib/Mapping/AbstractMapping.php           | 6 ++++--
 apps/user_ldap/tests/Mapping/AbstractMappingTest.php     | 2 +-
 lib/private/Group/Database.php                           | 4 ++--
 lib/private/Repair/RepairLegacyStorages.php              | 2 +-
 6 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/apps/dav/lib/Connector/Sabre/CustomPropertiesBackend.php b/apps/dav/lib/Connector/Sabre/CustomPropertiesBackend.php
index d0d348e170e..b319350c7f0 100644
--- a/apps/dav/lib/Connector/Sabre/CustomPropertiesBackend.php
+++ b/apps/dav/lib/Connector/Sabre/CustomPropertiesBackend.php
@@ -327,7 +327,7 @@ class CustomPropertiesBackend implements BackendInterface {
 
 		$result = $this->connection->executeQuery(
 			$sql,
-			array($this->user, rtrim($path, '/') . '/%', $requestedProperties),
+			array($this->user, $this->connection->escapeLikeParameter(rtrim($path, '/')) . '/%', $requestedProperties),
 			array(null, null, \Doctrine\DBAL\Connection::PARAM_STR_ARRAY)
 		);
 
diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php
index 4d0753696ff..cdf12331477 100644
--- a/apps/user_ldap/lib/Access.php
+++ b/apps/user_ldap/lib/Access.php
@@ -623,7 +623,7 @@ class Access extends LDAPUtility implements IUserTools {
 	 * "Developers"
 	 */
 	private function _createAltInternalOwnCloudNameForGroups($name) {
-		$usedNames = $this->groupMapper->getNamesBySearch($name.'_%');
+		$usedNames = $this->groupMapper->getNamesBySearch($name, "", '_%');
 		if(!($usedNames) || count($usedNames) === 0) {
 			$lastNo = 1; //will become name_2
 		} else {
diff --git a/apps/user_ldap/lib/Mapping/AbstractMapping.php b/apps/user_ldap/lib/Mapping/AbstractMapping.php
index 54fe7db366f..67fbd9fe851 100644
--- a/apps/user_ldap/lib/Mapping/AbstractMapping.php
+++ b/apps/user_ldap/lib/Mapping/AbstractMapping.php
@@ -138,16 +138,18 @@ abstract class AbstractMapping {
 	/**
 	 * Searches mapped names by the giving string in the name column
 	 * @param string $search
+	 * @param string $prefixMatch
+	 * @param string $postfixMatch
 	 * @return string[]
 	 */
-	public function getNamesBySearch($search) {
+	public function getNamesBySearch($search, $prefixMatch = "", $postfixMatch = "") {
 		$query = $this->dbc->prepare('
 			SELECT `owncloud_name`
 			FROM `'. $this->getTableName() .'`
 			WHERE `owncloud_name` LIKE ?
 		');
 
-		$res = $query->execute(array($search));
+		$res = $query->execute(array($prefixMatch.$this->dbc->escapeLikeParameter($search).$postfixMatch));
 		$names = array();
 		if($res !== false) {
 			while($row = $query->fetch()) {
diff --git a/apps/user_ldap/tests/Mapping/AbstractMappingTest.php b/apps/user_ldap/tests/Mapping/AbstractMappingTest.php
index ddd99d31709..a2e9f850913 100644
--- a/apps/user_ldap/tests/Mapping/AbstractMappingTest.php
+++ b/apps/user_ldap/tests/Mapping/AbstractMappingTest.php
@@ -164,7 +164,7 @@ abstract class AbstractMappingTest extends \Test\TestCase {
 	public function testSearch() {
 		list($mapper,) = $this->initTest();
 
-		$names = $mapper->getNamesBySearch('%oo%');
+		$names = $mapper->getNamesBySearch('oo', '%', '%');
 		$this->assertTrue(is_array($names));
 		$this->assertSame(2, count($names));
 		$this->assertTrue(in_array('Foobar', $names));
diff --git a/lib/private/Group/Database.php b/lib/private/Group/Database.php
index 36d19f74cc6..64f249d4d25 100644
--- a/lib/private/Group/Database.php
+++ b/lib/private/Group/Database.php
@@ -285,7 +285,7 @@ class Database extends \OC\Group\Backend {
 		$parameters = [$gid];
 		$searchLike = '';
 		if ($search !== '') {
-			$parameters[] = '%' . $search . '%';
+			$parameters[] = '%' . $this->dbConn->escapeLikeParameter($search) . '%';
 			$searchLike = ' AND `uid` LIKE ?';
 		}
 
@@ -311,7 +311,7 @@ class Database extends \OC\Group\Backend {
 		$parameters = [$gid];
 		$searchLike = '';
 		if ($search !== '') {
-			$parameters[] = '%' . $search . '%';
+			$parameters[] = '%' . $this->dbConn->escapeLikeParameter($search) . '%';
 			$searchLike = ' AND `uid` LIKE ?';
 		}
 
diff --git a/lib/private/Repair/RepairLegacyStorages.php b/lib/private/Repair/RepairLegacyStorages.php
index 8ef20cdf3c2..096300f51c2 100644
--- a/lib/private/Repair/RepairLegacyStorages.php
+++ b/lib/private/Repair/RepairLegacyStorages.php
@@ -172,7 +172,7 @@ class RepairLegacyStorages implements IRepairStep{
 		$sql = 'SELECT `id`, `numeric_id` FROM `*PREFIX*storages`'
 			. ' WHERE `id` LIKE ?'
 			. ' ORDER BY `id`';
-		$result = $this->connection->executeQuery($sql, array($dataDirId . '%'));
+		$result = $this->connection->executeQuery($sql, array($this->connection->escapeLikeParameter($dataDirId) . '%'));
 
 		while ($row = $result->fetch()) {
 			$currentId = $row['id'];
-- 
GitLab