1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-23 14:00:56 +01:00

Fix dynamic string usage as safe input

Test Plan:
  $ arc lint

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, Korvin

Differential Revision: https://secure.phabricator.com/D4796
This commit is contained in:
vrana 2013-02-02 13:27:42 -08:00
parent a808133bc8
commit 5459af3bdd
5 changed files with 14 additions and 15 deletions

View file

@ -70,9 +70,10 @@ final class PhabricatorOAuthFailureView extends AphrontView {
$provider_key = $provider->getProviderKey();
$diagnose = hsprintf(
'<a href="/oauth/'.$provider_key.'/diagnose/" class="button green">'.
'<a href="/oauth/%s/diagnose/" class="button green">'.
'Diagnose %s OAuth Problems'.
'</a>',
$provider_key,
$provider_name);
}

View file

@ -96,22 +96,21 @@ final class DiffusionBrowseTableView extends DiffusionView {
$conn = $drequest->getRepository()->establishConnection('r');
$where = '';
$path = '/'.$drequest->getPath();
$where = (substr($path, -1) == '/'
? qsprintf($conn, 'AND path LIKE %>', $path)
: qsprintf($conn, 'AND path = %s', $path));
if ($drequest->getLint()) {
$where = qsprintf(
$conn,
'AND code = %s',
$drequest->getLint());
$where .= qsprintf($conn, ' AND code = %s', $drequest->getLint());
}
$like = (substr($drequest->getPath(), -1) == '/' ? 'LIKE %>' : '= %s');
return head(queryfx_one(
$conn,
'SELECT COUNT(*) FROM %T WHERE branchID = %d %Q AND path '.$like,
'SELECT COUNT(*) FROM %T WHERE branchID = %d %Q',
PhabricatorRepository::TABLE_LINTMESSAGE,
$branch->getID(),
$where,
'/'.$drequest->getPath()));
$where));
}
public function render() {

View file

@ -161,7 +161,8 @@ final class PhabricatorSearchEngineMySQL extends PhabricatorSearchEngine {
if (strlen($q)) {
$join[] = qsprintf(
$conn_r,
"{$t_field} field ON field.phid = document.phid");
'%T field ON field.phid = document.phid',
$t_field);
$where[] = qsprintf(
$conn_r,
'MATCH(corpus) AGAINST (%s IN BOOLEAN MODE)',

View file

@ -74,7 +74,7 @@ final class CelerityResourceTransformer {
$bin = $root.'/externals/javelin/support/jsxmin/jsxmin';
if (@file_exists($bin)) {
$future = new ExecFuture("{$bin} __DEV__:0");
$future = new ExecFuture('%s __DEV__:0', $bin);
$future->write($data);
list($err, $result) = $future->resolve();
if (!$err) {

View file

@ -187,9 +187,7 @@ final class PhabricatorJavelinLinter extends ArcanistLinter {
}
private function newSymbolsFuture($path) {
$javelinsymbols = 'javelinsymbols';
$future = new ExecFuture($javelinsymbols.' # '.escapeshellarg($path));
$future = new ExecFuture('javelinsymbols # %s', $path);
$future->write($this->getData($path));
return $future;
}