Mirrors/chatmail-core
1
0
Fork 0
mirror of https://github.com/chatmail/core.git synced 2026-05-22 16:26:31 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix: Properly escape target in receive_imf_inner()

Browse Source 
The bug was made in 44227d7b86. Sql::execute() with placeholders must
be used to escape strings, one never should escape them manually as strings themselves can contain
escape symbols. Thanks to @link2xt for noticing.
This commit is contained in:
iequidoo
2023-12-21 20:12:05 -03:00
committed by iequidoo
parent a27e84ad89
commit 865ede39fe
1 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/receive_imf.rs
View File

@@ -458,14 +458,18 @@ pub(crate) async fn receive_imf_inner(
}; };
if target.is_some() || rfc724_mid_orig != rfc724_mid { if target.is_some() || rfc724_mid_orig != rfc724_mid {
let target_subst = match &target { let target_subst = match &target {
Some(target) => format!("target='{target}',"), Some(_) => "target=?1,",
None => "".to_string(), None => "",
}; };
context context
.sql .sql
.execute( .execute(
&format!("UPDATE imap SET {target_subst} rfc724_mid=?1 WHERE rfc724_mid=?2"), &format!("UPDATE imap SET {target_subst} rfc724_mid=?2 WHERE rfc724_mid=?3"),
(rfc724_mid_orig, rfc724_mid), (
target.as_deref().unwrap_or_default(),
rfc724_mid_orig,
rfc724_mid,
),
) )
.await?; .await?;
} }