1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-27 09:12:41 +01:00

Fix dynamic string usage as safe input

Test Plan:
  $ arc lint

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, Korvin

Differential Revision: https://secure.phabricator.com/D4796
This commit is contained in:
vrana 2013-02-02 13:27:42 -08:00
parent a808133bc8
commit 5459af3bdd
5 changed files with 14 additions and 15 deletions

View file

@ -70,9 +70,10 @@ final class PhabricatorOAuthFailureView extends AphrontView {
$provider_key = $provider->getProviderKey(); $provider_key = $provider->getProviderKey();
$diagnose = hsprintf( $diagnose = hsprintf(
'<a href="/oauth/'.$provider_key.'/diagnose/" class="button green">'. '<a href="/oauth/%s/diagnose/" class="button green">'.
'Diagnose %s OAuth Problems'. 'Diagnose %s OAuth Problems'.
'</a>', '</a>',
$provider_key,
$provider_name); $provider_name);
} }

View file

@ -96,22 +96,21 @@ final class DiffusionBrowseTableView extends DiffusionView {
$conn = $drequest->getRepository()->establishConnection('r'); $conn = $drequest->getRepository()->establishConnection('r');
$where = ''; $path = '/'.$drequest->getPath();
$where = (substr($path, -1) == '/'
? qsprintf($conn, 'AND path LIKE %>', $path)
: qsprintf($conn, 'AND path = %s', $path));
if ($drequest->getLint()) { if ($drequest->getLint()) {
$where = qsprintf( $where .= qsprintf($conn, ' AND code = %s', $drequest->getLint());
$conn,
'AND code = %s',
$drequest->getLint());
} }
$like = (substr($drequest->getPath(), -1) == '/' ? 'LIKE %>' : '= %s');
return head(queryfx_one( return head(queryfx_one(
$conn, $conn,
'SELECT COUNT(*) FROM %T WHERE branchID = %d %Q AND path '.$like, 'SELECT COUNT(*) FROM %T WHERE branchID = %d %Q',
PhabricatorRepository::TABLE_LINTMESSAGE, PhabricatorRepository::TABLE_LINTMESSAGE,
$branch->getID(), $branch->getID(),
$where, $where));
'/'.$drequest->getPath()));
} }
public function render() { public function render() {

View file

@ -161,7 +161,8 @@ final class PhabricatorSearchEngineMySQL extends PhabricatorSearchEngine {
if (strlen($q)) { if (strlen($q)) {
$join[] = qsprintf( $join[] = qsprintf(
$conn_r, $conn_r,
"{$t_field} field ON field.phid = document.phid"); '%T field ON field.phid = document.phid',
$t_field);
$where[] = qsprintf( $where[] = qsprintf(
$conn_r, $conn_r,
'MATCH(corpus) AGAINST (%s IN BOOLEAN MODE)', 'MATCH(corpus) AGAINST (%s IN BOOLEAN MODE)',

View file

@ -74,7 +74,7 @@ final class CelerityResourceTransformer {
$bin = $root.'/externals/javelin/support/jsxmin/jsxmin'; $bin = $root.'/externals/javelin/support/jsxmin/jsxmin';
if (@file_exists($bin)) { if (@file_exists($bin)) {
$future = new ExecFuture("{$bin} __DEV__:0"); $future = new ExecFuture('%s __DEV__:0', $bin);
$future->write($data); $future->write($data);
list($err, $result) = $future->resolve(); list($err, $result) = $future->resolve();
if (!$err) { if (!$err) {

View file

@ -187,9 +187,7 @@ final class PhabricatorJavelinLinter extends ArcanistLinter {
} }
private function newSymbolsFuture($path) { private function newSymbolsFuture($path) {
$javelinsymbols = 'javelinsymbols'; $future = new ExecFuture('javelinsymbols # %s', $path);
$future = new ExecFuture($javelinsymbols.' # '.escapeshellarg($path));
$future->write($this->getData($path)); $future->write($this->getData($path));
return $future; return $future;
} }