From 47c5167acb0a4a2c809c03dc664fea1d130d0c8b Mon Sep 17 00:00:00 2001
From: Lukas Fleischer <archlinux@cryptocrack.de>
Date: Thu, 20 Oct 2011 08:43:44 +0200
Subject: Escape wildcards in "LIKE" patterns

Percent signs ("%") and underscores ("_") are not escaped by
mysql_real_escape_string() and are interpreted as wildcards if combined
with "LIKE". Write a wrapper function db_escape_like() and use it where
appropriate.

Note that we already fixed this for the RPC interface in commit
da2ebb667b7a332ddd8d905bf9b9a8694765fed6 but missed the other places.
This patch should fix all remaining flaws reported in FS#26527.

Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>
Signed-off-by: Dan McGee <dan@archlinux.org>
---
 web/lib/acctfuncs.inc.php |  8 ++++----
 web/lib/aur.inc.php       |  5 +++++
 web/lib/aurjson.class.php |  3 +--
 web/lib/pkgfuncs.inc.php  | 12 +++++-------
 4 files changed, 15 insertions(+), 13 deletions(-)

diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index 8b562592..512e66ce 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -373,19 +373,19 @@ function search_results_page($UTYPE,$O=0,$SB="",$U="",$T="",
 		$search_vars[] = "S";
 	}
 	if ($U) {
-		$q.= "AND Username LIKE '%".db_escape_string($U)."%' ";
+		$q.= "AND Username LIKE '%".db_escape_like($U)."%' ";
 		$search_vars[] = "U";
 	}
 	if ($E) {
-		$q.= "AND Email LIKE '%".db_escape_string($E)."%' ";
+		$q.= "AND Email LIKE '%".db_escape_like($E)."%' ";
 		$search_vars[] = "E";
 	}
 	if ($R) {
-		$q.= "AND RealName LIKE '%".db_escape_string($R)."%' ";
+		$q.= "AND RealName LIKE '%".db_escape_like($R)."%' ";
 		$search_vars[] = "R";
 	}
 	if ($I) {
-		$q.= "AND IRCNick LIKE '%".db_escape_string($I)."%' ";
+		$q.= "AND IRCNick LIKE '%".db_escape_like($I)."%' ";
 		$search_vars[] = "I";
 	}
 	switch ($SB) {
diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php
index e4e1cb57..ed0920f9 100644
--- a/web/lib/aur.inc.php
+++ b/web/lib/aur.inc.php
@@ -229,6 +229,11 @@ function db_escape_string($string) {
 	return mysql_real_escape_string($string);
 }
 
+# Escape strings for usage in SQL LIKE operators.
+function db_escape_like($string) {
+	return addcslashes(mysql_real_escape_string($string), '%_');
+}
+
 # disconnect from the database
 # this won't normally be needed as PHP/reference counting will take care of
 # closing the connection once it is no longer referenced
diff --git a/web/lib/aurjson.class.php b/web/lib/aurjson.class.php
index e6e62f4b..234a3c43 100644
--- a/web/lib/aurjson.class.php
+++ b/web/lib/aurjson.class.php
@@ -195,8 +195,7 @@ class AurJSON {
             return $this->json_error('Query arg too small');
         }
 
-        $keyword_string = db_escape_string($keyword_string, $this->dbh);
-        $keyword_string = addcslashes($keyword_string, '%_');
+        $keyword_string = db_escape_like($keyword_string, $this->dbh);
 
         $where_condition = "( Name LIKE '%{$keyword_string}%' OR " .
             "Description LIKE '%{$keyword_string}%' )";
diff --git a/web/lib/pkgfuncs.inc.php b/web/lib/pkgfuncs.inc.php
index 8d2799cc..558cf3fd 100644
--- a/web/lib/pkgfuncs.inc.php
+++ b/web/lib/pkgfuncs.inc.php
@@ -457,11 +457,9 @@ function pkg_search_page($SID="", $dbh=NULL) {
 	}
 
 	if (isset($_GET['K'])) {
-		$_GET['K'] = db_escape_string(trim($_GET['K']));
-
 		# Search by maintainer
 		if (isset($_GET["SeB"]) && $_GET["SeB"] == "m") {
-			$q_where .= "AND Users.Username = '".$_GET['K']."' ";
+			$q_where .= "AND Users.Username = '".db_escape_string($_GET['K'])."' ";
 		}
 		# Search by submitter
 		elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "s") {
@@ -469,16 +467,16 @@ function pkg_search_page($SID="", $dbh=NULL) {
 		}
 		# Search by name
 		elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "n") {
-			$q_where .= "AND (Name LIKE '%".$_GET['K']."%') ";
+			$q_where .= "AND (Name LIKE '%".db_escape_like($_GET['K'])."%') ";
 		}
 		# Search by name (exact match)
 		elseif (isset($_GET["SeB"]) && $_GET["SeB"] == "x") {
-			$q_where .= "AND (Name = '".$_GET['K']."') ";
+			$q_where .= "AND (Name = '".db_escape_string($_GET['K'])."') ";
 		}
 		# Search by name and description (Default)
 		else {
-			$q_where .= "AND (Name LIKE '%".$_GET['K']."%' OR ";
-			$q_where .= "Description LIKE '%".$_GET['K']."%') ";
+			$q_where .= "AND (Name LIKE '%".db_escape_like($_GET['K'])."%' OR ";
+			$q_where .= "Description LIKE '%".db_escape_like($_GET['K'])."%') ";
 		}
 	}
 
-- 
cgit v1.2.3-24-g4f1b