From 865ede39fe4cff58dc15c0f5d2340638cbe61fbe Mon Sep 17 00:00:00 2001
From: iequidoo <dgreshilov@gmail.com>
Date: Thu, 21 Dec 2023 20:12:05 -0300
Subject: [PATCH] fix: Properly escape `target` in receive_imf_inner()

The bug was made in 44227d7b866f4aa173c63ffc989f38b44774e40d. Sql::execute() with placeholders must
be used to escape strings, one never should escape them manually as strings themselves can contain
escape symbols. Thanks to @link2xt for noticing.
---
 src/receive_imf.rs | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/receive_imf.rs b/src/receive_imf.rs
index 8f26c84e8..568743cda 100644
--- a/src/receive_imf.rs
+++ b/src/receive_imf.rs
@@ -458,14 +458,18 @@ pub(crate) async fn receive_imf_inner(
         };
         if target.is_some() || rfc724_mid_orig != rfc724_mid {
             let target_subst = match &target {
-                Some(target) => format!("target='{target}',"),
-                None => "".to_string(),
+                Some(_) => "target=?1,",
+                None => "",
             };
             context
                 .sql
                 .execute(
-                    &format!("UPDATE imap SET {target_subst} rfc724_mid=?1 WHERE rfc724_mid=?2"),
-                    (rfc724_mid_orig, rfc724_mid),
+                    &format!("UPDATE imap SET {target_subst} rfc724_mid=?2 WHERE rfc724_mid=?3"),
+                    (
+                        target.as_deref().unwrap_or_default(),
+                        rfc724_mid_orig,
+                        rfc724_mid,
+                    ),
                 )
                 .await?;
         }