wamo/gnu-social
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[Directory] Fix SQL string quotation

Browse Source
This commit is contained in:
Alexei Sorokin 2020-08-26 16:27:35 +03:00
parent 00c492891e
commit db593496a7
1 changed files with 78 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

150
plugins/Directory/actions/groupdirectory.php
View File

@ -1,50 +1,44 @@
<?php <?php
// This file is part of GNU social - https://www.gnu.org/software/social
//
// GNU social is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// GNU social is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with GNU social. If not, see <http://www.gnu.org/licenses/>.
/** /**
* StatusNet, the distributed open-source microblogging tool
*
* Output a group directory * Output a group directory
* *
* PHP version 5
*
* LICENCE: This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* @category Public * @category Public
* @package StatusNet * @package GNUsocial
* @author Zach Copley <zach@status.net> * @author Zach Copley <zach@status.net>
* @copyright 2011 StatusNet, Inc. * @copyright 2011 StatusNet, Inc.
* @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 * @license https://www.gnu.org/licenses/agpl.html GNU AGPL v3 or late
* @link http://status.net/
*/ */
if (!defined('GNUSOCIAL')) { defined('GNUSOCIAL') || die();
exit(1);
}
/** /**
* Group directory * Group directory
* *
* @category Directory * @category Directory
* @package StatusNet * @package GNUsocial
* @author Zach Copley <zach@status.net> * @author Zach Copley <zach@status.net>
* @author Mikael Nordfeldth <mmn@hethane.se> * @author Mikael Nordfeldth <mmn@hethane.se>
* @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 * @license https://www.gnu.org/licenses/agpl.html GNU AGPL v3 or late
* @link http://status.net/
*/ */
class GroupdirectoryAction extends ManagedAction class GroupdirectoryAction extends ManagedAction
{ {
protected $redirectAfterLogin = true; protected $redirectAfterLogin = true;
/** /**
* The page we're on * The page we're on
* *
@ -175,13 +169,16 @@ class GroupdirectoryAction extends ManagedAction
public function showContent() public function showContent()
{ {
if (common_logged_in()) { if (common_logged_in()) {
$this->elementStart('p', $this->elementStart('p', ['id' => 'new_group']);
['id' => 'new_group']); $this->element(
$this->element('a', 'a',
['href' => common_local_url('newgroup'), [
'class' => 'more'], 'href' => common_local_url('newgroup'),
// TRANS: Link to create a new group on the group list page. 'class' => 'more',
_m('Create a new group')); ],
// TRANS: Link to create a new group on the group list page.
_m('Create a new group')
);
$this->elementEnd('p'); $this->elementEnd('p');
} }
@ -232,11 +229,12 @@ class GroupdirectoryAction extends ManagedAction
public function showForm($error=null) public function showForm($error=null)
{ {
$this->elementStart('form', $this->elementStart('form', [
['method' => 'get', 'method' => 'get',
'id' => 'form_search', 'id' => 'form_search',
'class' => 'form_settings', 'class' => 'form_settings',
'action' => common_local_url('groupdirectory')]); 'action' => common_local_url('groupdirectory'),
]);
$this->elementStart('fieldset'); $this->elementStart('fieldset');
@ -273,17 +271,20 @@ class GroupdirectoryAction extends ManagedAction
$wheres = ['nickname', 'fullname', 'homepage', 'description', 'location']; $wheres = ['nickname', 'fullname', 'homepage', 'description', 'location'];
foreach ($wheres as $where) { foreach ($wheres as $where) {
// Double % because of sprintf // Double % because of sprintf
$group->whereAdd(sprintf('LOWER(%1$s.%2$s) LIKE LOWER("%%%3$s%%")', $group->whereAdd(sprintf(
$group->escapedTableName(), 'LOWER(%1$s.%2$s) LIKE LOWER(\'%%%3$s%%\')',
$where, $group->escapedTableName(),
$group->escape($this->q)), $where,
'OR'); $group->escape($this->q)
), 'OR');
} }
$order = sprintf('%1$s.%2$s %3$s', $order = sprintf(
$group->escapedTableName(), '%1$s.%2$s %3$s',
$this->getSortKey('created'), $group->escapedTableName(),
$this->reverse ? 'DESC' : 'ASC'); $this->getSortKey('created'),
$this->reverse ? 'DESC' : 'ASC'
);
} else { } else {
// User is browsing via AlphaNav // User is browsing via AlphaNav
@ -292,24 +293,30 @@ class GroupdirectoryAction extends ManagedAction
// NOOP // NOOP
break; break;
case '0-9': case '0-9':
$group->whereAdd(sprintf('LEFT(%1$s.%2$s, 1) BETWEEN %3$s AND %4$s', $group->whereAdd(sprintf(
$group->escapedTableName(), 'LEFT(%1$s.%2$s, 1) BETWEEN %3$s AND %4$s',
'nickname', $group->escapedTableName(),
$group->_quote("0"), 'nickname',
$group->_quote("9"))); $group->_quote('0'),
$group->_quote('9')
));
break; break;
default: default:
$group->whereAdd(sprintf('LEFT(LOWER(%1$s.%2$s), 1) = %3$s', $group->whereAdd(sprintf(
$group->escapedTableName(), 'LEFT(LOWER(%1$s.%2$s), 1) = %3$s',
'nickname', $group->escapedTableName(),
$group->_quote($this->filter))); 'nickname',
$group->_quote($this->filter)
));
} }
$order = sprintf('%1$s.%2$s %3$s, %1$s.%4$s ASC', $order = sprintf(
$group->escapedTableName(), '%1$s.%2$s %3$s, %1$s.%4$s ASC',
$this->getSortKey('nickname'), $group->escapedTableName(),
$this->reverse ? 'DESC' : 'ASC', $this->getSortKey('nickname'),
'nickname'); $this->reverse ? 'DESC' : 'ASC',
'nickname'
);
} }
$offset = ($this->page-1) * PROFILES_PER_PAGE; $offset = ($this->page-1) * PROFILES_PER_PAGE;
@ -347,13 +354,12 @@ class GroupdirectoryAction extends ManagedAction
public function showEmptyListMessage() public function showEmptyListMessage()
{ {
if (!empty($this->filter) && ($this->filter != 'all')) { if (!empty($this->filter) && ($this->filter != 'all')) {
$this->element('p', $this->element('p', 'error', sprintf(
'error', // TRANS: Empty list message for searching group directory.
sprintf( // TRANS: %s is the search string.
// TRANS: Empty list message for searching group directory. _m('No groups starting with %s.'),
// TRANS: %s is the search string. $this->filter
_m('No groups starting with %s.'), ));
$this->filter));
} else { } else {
// TRANS: Empty list message for searching group directory. // TRANS: Empty list message for searching group directory.
$this->element('p', 'error', _m('No results.')); $this->element('p', 'error', _m('No results.'));