From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:43096) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1erkIB-0000B2-Jt for guix-patches@gnu.org; Fri, 02 Mar 2018 08:00:11 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1erkI6-0004m2-PQ for guix-patches@gnu.org; Fri, 02 Mar 2018 08:00:07 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:60544) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1erkI6-0004lx-MS for guix-patches@gnu.org; Fri, 02 Mar 2018 08:00:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1erkI6-000672-Dv for guix-patches@gnu.org; Fri, 02 Mar 2018 08:00:02 -0500 Subject: bug#30386: [PATCH v2 cuirass] database: Prevent SQL injection. Resent-To: guix-patches@gnu.org Resent-Message-ID: From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) References: <20180207231258.31169-1-dannym@scratchpost.org> <20180208163432.9468-1-dannym@scratchpost.org> Date: Fri, 02 Mar 2018 13:59:06 +0100 In-Reply-To: <20180208163432.9468-1-dannym@scratchpost.org> (Danny Milosavljevic's message of "Thu, 8 Feb 2018 17:34:32 +0100") Message-ID: <87a7vqhbvp.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Danny Milosavljevic Cc: 30386-done@debbugs.gnu.org Danny Milosavljevic skribis: > + (stmt-text (format #f "\ > +SELECT Builds.id, Builds.timestamp, Builds.starttime, Builds.stoptime, B= uilds.log, Builds.status, Builds.derivation,\ > +Derivations.job_name, Derivations.system, Derivations.nix_name,\ > +Specifications.repo_name, Specifications.branch \ > +FROM Builds \ > +INNER JOIN Derivations ON Builds.derivation =3D Derivations.derivation A= ND Builds.evaluation =3D Derivations.evaluation \ > +INNER JOIN Evaluations ON Derivations.evaluation =3D Evaluations.id \ > +INNER JOIN Specifications ON Evaluations.specification =3D Specification= s.repo_name \ > +WHERE (:id IS NULL OR (:id =3D Builds.id)) \ > +OR (:project IS NULL OR (:project =3D Specifications.repo_name)) \ > +OR (:jobset IS NULL OR (:jobset =3D Specifications.branch)) \ > +OR (:job IS NULL OR (:job =3D Derivations.job_name)) \ > +OR (:system IS NULL OR (:system =3D Derivations.system)) \ > +OR (:status IS NULL OR (:status =3D 'done' AND Builds.status >=3D 0) OR = (:status =3D 'pending' AND Builds.status < 0)) \ > +ORDER BY ~a ~a LIMIT :nr;" order-column-name order)) > + (stmt (sqlite-prepare db stmt-text #:cache? #t))) > + (sqlite-bind-args stmt #:id (assqx-ref filters 'id) > + #:project (assqx-ref filters 'project) > + #:jobset (assqx-ref filters 'jobset) > + #:job (assqx-ref filters 'job) > + #:system (assqx-ref filters 'system) > + #:status (and=3D> (assqx-ref filters 'status) > + object->string) > + #:nr (match (assqx-ref filters 'nr) > + (#f -1) > + (x x))) This was pushed as 1bab5c4e56eb1849edc2cf0b23d433aeb2cac421, closing this issue now. Thank you! Ludo=E2=80=99.