From d45a73777935c86fc5131955831833d7465b5e9d Mon Sep 17 00:00:00 2001 From: Bharat Mediratta Date: Mon, 21 Jan 2013 01:22:01 -0500 Subject: Update copyright to 2013. Fixes #1953. --- modules/g2_import/controllers/g2.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules/g2_import/controllers/g2.php') diff --git a/modules/g2_import/controllers/g2.php b/modules/g2_import/controllers/g2.php index 98eb57f1..5a76940e 100644 --- a/modules/g2_import/controllers/g2.php +++ b/modules/g2_import/controllers/g2.php @@ -1,7 +1,7 @@ Date: Fri, 25 Jan 2013 08:47:29 +0100 Subject: #1956 - Escape LIKE queries (for _ and %). In MySQL queries, _ and % characters are treated as wildcards (similar to ? and *, respectively). - Added escape_for_like function to MY_Database.php - Added unit test to Database_Test - Corrected the five unescaped instances in the code using this function. --- modules/g2_import/controllers/g2.php | 2 +- modules/gallery/helpers/item_rest.php | 2 +- modules/gallery/libraries/MY_Database.php | 10 ++++++++++ modules/gallery/libraries/drivers/Cache/Database.php | 4 ++-- modules/gallery/tests/Database_Test.php | 6 ++++++ modules/tag/controllers/tags.php | 2 +- 6 files changed, 21 insertions(+), 5 deletions(-) (limited to 'modules/g2_import/controllers/g2.php') diff --git a/modules/g2_import/controllers/g2.php b/modules/g2_import/controllers/g2.php index 5a76940e..0645266b 100644 --- a/modules/g2_import/controllers/g2.php +++ b/modules/g2_import/controllers/g2.php @@ -49,7 +49,7 @@ class G2_Controller extends Controller { if ($view == "core.DownloadItem") { $where[] = array("resource_type", "IN", array("file", "resize", "thumbnail", "full")); } else if ($view) { - $where[] = array("g2_url", "like", "%g2_view=$view%"); + $where[] = array("g2_url", "LIKE", "%" . Database::escape_for_like("g2_view=$view") . "%"); } // else: Assuming that the first search hit is sufficiently good. } else if ($path) { $where = array(array("g2_url", "IN", array($path, str_replace(" ", "+", $path)))); diff --git a/modules/gallery/helpers/item_rest.php b/modules/gallery/helpers/item_rest.php index 10799567..efeba2ef 100644 --- a/modules/gallery/helpers/item_rest.php +++ b/modules/gallery/helpers/item_rest.php @@ -64,7 +64,7 @@ class item_rest_Core { } if (isset($p->name)) { - $orm->where("name", "LIKE", "%{$p->name}%"); + $orm->where("name", "LIKE", "%" . Database::escape_for_like($p->name) . "%"); } if (isset($p->type)) { diff --git a/modules/gallery/libraries/MY_Database.php b/modules/gallery/libraries/MY_Database.php index aae0bb79..33759b67 100644 --- a/modules/gallery/libraries/MY_Database.php +++ b/modules/gallery/libraries/MY_Database.php @@ -88,4 +88,14 @@ abstract class Database extends Database_Core { static function set_default_instance($db) { self::$instances["default"] = $db; } + + /** + * Escape LIKE queries, add wildcards. In MySQL queries using LIKE, _ and % characters are + * treated as wildcards similar to ? and *, respectively. Therefore, we need to escape _, %, + * and \ (the escape character itself). + */ + static function escape_for_like($value) { + // backslash must go first to avoid double-escaping + return addcslashes($value, '\_%'); + } } \ No newline at end of file diff --git a/modules/gallery/libraries/drivers/Cache/Database.php b/modules/gallery/libraries/drivers/Cache/Database.php index a7aae92c..8790d0e1 100644 --- a/modules/gallery/libraries/drivers/Cache/Database.php +++ b/modules/gallery/libraries/drivers/Cache/Database.php @@ -69,7 +69,7 @@ class Cache_Database_Driver extends Cache_Driver { ->select() ->from("caches"); foreach ($tags as $tag) { - $db->where("tags", "LIKE", "%<$tag>%"); + $db->where("tags", "LIKE", "%" . Database::escape_for_like("<$tag>") . "%"); } $db_result = $db->execute(); @@ -139,7 +139,7 @@ class Cache_Database_Driver extends Cache_Driver { // Delete all caches } else if ($is_tag === true) { foreach ($keys as $tag) { - $db->where("tags", "LIKE", "%<$tag>%"); + $db->where("tags", "LIKE", "%" . Database::escape_for_like("<$tag>") . "%"); } } else { $db->where("key", "IN", $keys); diff --git a/modules/gallery/tests/Database_Test.php b/modules/gallery/tests/Database_Test.php index ab3290a9..106062f5 100644 --- a/modules/gallery/tests/Database_Test.php +++ b/modules/gallery/tests/Database_Test.php @@ -147,6 +147,12 @@ class Database_Test extends Gallery_Unit_Test_Case { $sql = str_replace("\n", " ", $sql); $this->assert_same("UPDATE [test_tables] SET [name] = [Test Name] WHERE [1] = [1]", $sql); } + + function escape_for_like_test() { + // Note: literal double backslash is written as \\\ + $this->assert_same('basic\_test', Database::escape_for_like("basic_test")); + $this->assert_same('\\\100\%\_test/', Database::escape_for_like('\100%_test/')); + } } class Database_Mock extends Database { diff --git a/modules/tag/controllers/tags.php b/modules/tag/controllers/tags.php index 77ad7f50..77d45a95 100644 --- a/modules/tag/controllers/tags.php +++ b/modules/tag/controllers/tags.php @@ -52,7 +52,7 @@ class Tags_Controller extends Controller { $limit = Input::instance()->get("limit"); $tag_part = ltrim(end($tag_parts)); $tag_list = ORM::factory("tag") - ->where("name", "LIKE", "{$tag_part}%") + ->where("name", "LIKE", Database::escape_for_like($tag_part) . "%") ->order_by("name", "ASC") ->limit($limit) ->find_all(); -- cgit v1.2.3 From 91acf812a12c331c7bac53a8718419b024dff4a6 Mon Sep 17 00:00:00 2001 From: Mike Miller Date: Mon, 28 Jan 2013 17:05:43 +0200 Subject: #1973 Handle redirected G2 URLs for tags, including g2_itemId passed --- modules/g2_import/controllers/g2.php | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) (limited to 'modules/g2_import/controllers/g2.php') diff --git a/modules/g2_import/controllers/g2.php b/modules/g2_import/controllers/g2.php index 5a76940e..ba8ae7fa 100644 --- a/modules/g2_import/controllers/g2.php +++ b/modules/g2_import/controllers/g2.php @@ -33,10 +33,30 @@ class G2_Controller extends Controller { $input = Input::instance(); $path = $input->get("path"); $id = $input->get("g2_itemId"); + $view = $input->get("g2_view"); - /* Tags are handled specially, since there's no mapping for them */ - if (($path && 0 === strpos($path, "tag/"))) { - url::redirect("tag_name/" . substr($path, 4)); + // Tags did not have mappings created, so we need to catch them first. However, if a g2_itemId was + // passed, we'll want to show lookup the mapping anyway + if (($path && 0 === strpos($path, "tag/")) || $view = "tags.VirtualAlbum") { + if (0 === strpos($path, "tag/")) { + $tag_name = substr($path, 4); + } + if ($view == "tags.VirtualAlbum") { + $tag_name = $input->get("g2_tagName"); + } + + if (!$id) { + url::redirect("tag_name/$tag_name"); + } + + $tag = ORM::factory("tag")->where("name", "=", $tag_name)->find(); + if ($tag->loaded()) { + item::set_display_context_callback("Tag_Controller::get_display_context", $tag->id); + // We want to show the item as part of the tag virtual album. Most of this code is below; we'll + // change $path and $view to let it fall through + $view = ""; + $path = ""; + } } if (($path && $path != 'index.php' && $path != 'main.php') || $id) { @@ -45,7 +65,6 @@ class G2_Controller extends Controller { // Gallery 2 don't specify g2_view if it's the default (core.ShowItem). And in some cases // (bbcode, embedding) people are using the id style URLs although URL rewriting is enabled. $where = array(array("g2_id", "=", $id)); - $view = $input->get("g2_view"); if ($view == "core.DownloadItem") { $where[] = array("resource_type", "IN", array("file", "resize", "thumbnail", "full")); } else if ($view) { -- cgit v1.2.3 From 6e757f9988545aa0afbf5b345f81cbfcc6bed7ab Mon Sep 17 00:00:00 2001 From: Mike Miller Date: Fri, 1 Feb 2013 15:33:18 +0200 Subject: #1987 g2_import module should redirect with a 301, not 302 As the g2_import process is generally assumed to be permanent, the redirect should be a 301, and not a 302. --- modules/g2_import/controllers/g2.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'modules/g2_import/controllers/g2.php') diff --git a/modules/g2_import/controllers/g2.php b/modules/g2_import/controllers/g2.php index 3641b342..c9b1d182 100644 --- a/modules/g2_import/controllers/g2.php +++ b/modules/g2_import/controllers/g2.php @@ -46,7 +46,7 @@ class G2_Controller extends Controller { } if (!$id) { - url::redirect("tag_name/$tag_name"); + url::redirect("tag_name/$tag_name", 301); } $tag = ORM::factory("tag")->where("name", "=", $tag_name)->find(); @@ -99,18 +99,18 @@ class G2_Controller extends Controller { // Redirect the user to the new url switch ($resource_type) { case "thumbnail": - url::redirect($item->thumb_url(true)); + url::redirect($item->thumb_url(true), 301); case "resize": - url::redirect($item->resize_url(true)); + url::redirect($item->resize_url(true), 301); case "file": case "full": - url::redirect($item->file_url(true)); + url::redirect($item->file_url(true), 301); case "item": case "album": - url::redirect($item->abs_url()); + url::redirect($item->abs_url(), 301); case "group": case "user": -- cgit v1.2.3 From d3ca2617f21be55509a30b02babec156f0bac539 Mon Sep 17 00:00:00 2001 From: Mike Miller Date: Wed, 13 Feb 2013 23:11:32 +0200 Subject: Replace = with == This was my mistake; I didn't test it thoroughly. It results in all g2 mappings being broken! --- modules/g2_import/controllers/g2.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules/g2_import/controllers/g2.php') diff --git a/modules/g2_import/controllers/g2.php b/modules/g2_import/controllers/g2.php index ba8ae7fa..abbf87a0 100644 --- a/modules/g2_import/controllers/g2.php +++ b/modules/g2_import/controllers/g2.php @@ -37,7 +37,7 @@ class G2_Controller extends Controller { // Tags did not have mappings created, so we need to catch them first. However, if a g2_itemId was // passed, we'll want to show lookup the mapping anyway - if (($path && 0 === strpos($path, "tag/")) || $view = "tags.VirtualAlbum") { + if (($path && 0 === strpos($path, "tag/")) || $view == "tags.VirtualAlbum") { if (0 === strpos($path, "tag/")) { $tag_name = substr($path, 4); } -- cgit v1.2.3