Merge branch 'thh-checkinput' into next

* thh-checkinput: Check for invalid newsgroup names.
2013-09-02 12:59:45 +02:00 · 2013-09-02 12:59:45 +02:00 · 5cfcb1c061
commit 5cfcb1c061
parent 439c85a280 c30822b48b
2 changed files with 23 additions and 5 deletions
--- a/NewsStats.pm
+++ b/NewsStats.pm
@ -574,6 +574,7 @@ sub SQLGroupList {
  my ($Newsgroups) = @_;
  # substitute '*' wildcard with SQL wildcard character '%'
  $Newsgroups =~ s/\*/%/g;
+  return (undef,undef) if !CheckValidNewsgroups($Newsgroups);
  # just one newsgroup?
  return (SQLGroupWildcard($Newsgroups),$Newsgroups) if $Newsgroups !~ /:/;
  # list of newsgroups separated by ':'
@ -595,7 +596,6 @@ sub SQLGroupWildcard {
 ###                  (group.name or group.name.%)
 ### OUT: SQL code to become part of a 'WHERE' clause
  my ($Newsgroup) = @_;
-  # FIXME: check for validity
  if ($Newsgroup !~ /%/) {
    return 'newsgroup = ?';
  } else {
@ -698,6 +698,19 @@ sub SQLBuildClause {
  return $SQLClause;
 };

+#####--------------------------- Verifications ----------------------------#####
+
+################################################################################
+sub CheckValidNewsgroups {
+################################################################################
+### syntax check of newgroup list
+### IN : $Newsgroups: list of newsgroups (group.one.*:group.two:group.three.*)
+### OUT: boolean
+  my ($Newsgroups) = @_;
+  my $InvalidCharRegExp = ',; ';
+  return ($Newsgroups =~ /[$InvalidCharRegExp]/) ? 0 : 1;
+};
+

 #####------------------------------- done ---------------------------------#####
 1;
--- a/groupstats.pl
+++ b/groupstats.pl
@ -100,8 +100,13 @@ my ($CaptionPeriod,$SQLWherePeriod) = &GetTimePeriod($OptMonth);
         "please use 'YYYY-MM', 'YYYY-MM:YYYY-MM' or 'ALL'!") if !$CaptionPeriod;
 # get list of newsgroups and set expression for SQL 'WHERE' clause
 # with placeholders as well as a list of newsgroup to bind to them
-my ($SQLWhereNewsgroups,@SQLBindNewsgroups) = &SQLGroupList($OptNewsgroups)
-  if $OptNewsgroups;;
+my ($SQLWhereNewsgroups,@SQLBindNewsgroups);
+if ($OptNewsgroups) {
+  ($SQLWhereNewsgroups,@SQLBindNewsgroups) = &SQLGroupList($OptNewsgroups);
+  # bail out if --newsgroups is invalid
+  &Bleat(2,"--newsgroups option has an invalid format!")
+    if !$SQLWhereNewsgroups;
+}

 ### build SQL WHERE clause (and HAVING clause, if needed)
 my ($SQLWhereClause,$SQLHavingClause);
@ -194,8 +199,8 @@ if ($OptBoundType and $OptBoundType ne 'default') {
 $DBQuery = $DBHandle->prepare(sprintf('SELECT %s FROM %s.%s %s %s %s',
                                      $SQLSelect,
                                      $Conf{'DBDatabase'},$Conf{'DBTableGrps'},
-                                      $SQLWhereClause,$SQLGroupClause,$
-                                      SQLOrderClause));
+                                      $SQLWhereClause,$SQLGroupClause,
+                                      $SQLOrderClause));

 # execute query
 $DBQuery->execute(@SQLBindNewsgroups)