mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-23 14:00:56 +01:00
Fix dynamic string usage as safe input
Test Plan: $ arc lint Reviewers: epriestley Reviewed By: epriestley CC: aran, Korvin Differential Revision: https://secure.phabricator.com/D4796
This commit is contained in:
parent
a808133bc8
commit
5459af3bdd
5 changed files with 14 additions and 15 deletions
|
@ -70,9 +70,10 @@ final class PhabricatorOAuthFailureView extends AphrontView {
|
|||
|
||||
$provider_key = $provider->getProviderKey();
|
||||
$diagnose = hsprintf(
|
||||
'<a href="/oauth/'.$provider_key.'/diagnose/" class="button green">'.
|
||||
'<a href="/oauth/%s/diagnose/" class="button green">'.
|
||||
'Diagnose %s OAuth Problems'.
|
||||
'</a>',
|
||||
$provider_key,
|
||||
$provider_name);
|
||||
}
|
||||
|
||||
|
|
|
@ -96,22 +96,21 @@ final class DiffusionBrowseTableView extends DiffusionView {
|
|||
|
||||
$conn = $drequest->getRepository()->establishConnection('r');
|
||||
|
||||
$where = '';
|
||||
$path = '/'.$drequest->getPath();
|
||||
$where = (substr($path, -1) == '/'
|
||||
? qsprintf($conn, 'AND path LIKE %>', $path)
|
||||
: qsprintf($conn, 'AND path = %s', $path));
|
||||
|
||||
if ($drequest->getLint()) {
|
||||
$where = qsprintf(
|
||||
$conn,
|
||||
'AND code = %s',
|
||||
$drequest->getLint());
|
||||
$where .= qsprintf($conn, ' AND code = %s', $drequest->getLint());
|
||||
}
|
||||
|
||||
$like = (substr($drequest->getPath(), -1) == '/' ? 'LIKE %>' : '= %s');
|
||||
return head(queryfx_one(
|
||||
$conn,
|
||||
'SELECT COUNT(*) FROM %T WHERE branchID = %d %Q AND path '.$like,
|
||||
'SELECT COUNT(*) FROM %T WHERE branchID = %d %Q',
|
||||
PhabricatorRepository::TABLE_LINTMESSAGE,
|
||||
$branch->getID(),
|
||||
$where,
|
||||
'/'.$drequest->getPath()));
|
||||
$where));
|
||||
}
|
||||
|
||||
public function render() {
|
||||
|
|
|
@ -161,7 +161,8 @@ final class PhabricatorSearchEngineMySQL extends PhabricatorSearchEngine {
|
|||
if (strlen($q)) {
|
||||
$join[] = qsprintf(
|
||||
$conn_r,
|
||||
"{$t_field} field ON field.phid = document.phid");
|
||||
'%T field ON field.phid = document.phid',
|
||||
$t_field);
|
||||
$where[] = qsprintf(
|
||||
$conn_r,
|
||||
'MATCH(corpus) AGAINST (%s IN BOOLEAN MODE)',
|
||||
|
|
|
@ -74,7 +74,7 @@ final class CelerityResourceTransformer {
|
|||
$bin = $root.'/externals/javelin/support/jsxmin/jsxmin';
|
||||
|
||||
if (@file_exists($bin)) {
|
||||
$future = new ExecFuture("{$bin} __DEV__:0");
|
||||
$future = new ExecFuture('%s __DEV__:0', $bin);
|
||||
$future->write($data);
|
||||
list($err, $result) = $future->resolve();
|
||||
if (!$err) {
|
||||
|
|
|
@ -187,9 +187,7 @@ final class PhabricatorJavelinLinter extends ArcanistLinter {
|
|||
}
|
||||
|
||||
private function newSymbolsFuture($path) {
|
||||
$javelinsymbols = 'javelinsymbols';
|
||||
|
||||
$future = new ExecFuture($javelinsymbols.' # '.escapeshellarg($path));
|
||||
$future = new ExecFuture('javelinsymbols # %s', $path);
|
||||
$future->write($this->getData($path));
|
||||
return $future;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue