diff options
author | Andrew Dolgov <[email protected]> | 2012-02-21 12:36:29 +0400 |
---|---|---|
committer | Andrew Dolgov <[email protected]> | 2012-02-21 12:36:29 +0400 |
commit | 56fbb82cb004fb6f8689ee7f50be05d6a927f9f1 (patch) | |
tree | 6a0c3a21ece080f36cde838ef2910f291fa7765d /include | |
parent | 7b8ff151ed3d36214156906805e7e6327f59793c (diff) |
properly handle invalid regular expressions supplied when testing filters, add some additional regexp checks (closes #427)
Diffstat (limited to 'include')
-rw-r--r-- | include/functions.php | 105 |
1 files changed, 56 insertions, 49 deletions
diff --git a/include/functions.php b/include/functions.php index 25c188ee6..dc5cbc816 100644 --- a/include/functions.php +++ b/include/functions.php @@ -4973,63 +4973,70 @@ function filter_to_sql($filter) { $query = ""; - if (DB_TYPE == "pgsql") - $reg_qpart = "~"; - else - $reg_qpart = "REGEXP"; + $regexp_valid = preg_match('/' . $filter['reg_exp'] . '/', + $filter['reg_exp']) !== FALSE; - switch ($filter["type"]) { - case "title": - $query = "LOWER(ttrss_entries.title) $reg_qpart LOWER('". - $filter['reg_exp'] . "')"; - break; - case "content": - $query = "LOWER(ttrss_entries.content) $reg_qpart LOWER('". - $filter['reg_exp'] . "')"; - break; - case "both": - $query = "LOWER(ttrss_entries.title) $reg_qpart LOWER('". - $filter['reg_exp'] . "') OR LOWER(" . - "ttrss_entries.content) $reg_qpart LOWER('" . $filter['reg_exp'] . "')"; - break; - case "tag": - $query = "LOWER(ttrss_user_entries.tag_cache) $reg_qpart LOWER('". - $filter['reg_exp'] . "')"; - break; - case "link": - $query = "LOWER(ttrss_entries.link) $reg_qpart LOWER('". - $filter['reg_exp'] . "')"; - break; - case "date": + if ($regexp_valid) { - if ($filter["filter_param"] == "before") - $cmp_qpart = "<"; - else - $cmp_qpart = ">="; + if (DB_TYPE == "pgsql") + $reg_qpart = "~"; + else + $reg_qpart = "REGEXP"; - $timestamp = date("Y-m-d H:N:s", strtotime($filter["reg_exp"])); - $query = "ttrss_entries.date_entered $cmp_qpart '$timestamp'"; - break; - case "author": - $query = "LOWER(ttrss_entries.author) $reg_qpart LOWER('". - $filter['reg_exp'] . "')"; - break; - } + switch ($filter["type"]) { + case "title": + $query = "LOWER(ttrss_entries.title) $reg_qpart LOWER('". + $filter['reg_exp'] . "')"; + break; + case "content": + $query = "LOWER(ttrss_entries.content) $reg_qpart LOWER('". + $filter['reg_exp'] . "')"; + break; + case "both": + $query = "LOWER(ttrss_entries.title) $reg_qpart LOWER('". + $filter['reg_exp'] . "') OR LOWER(" . + "ttrss_entries.content) $reg_qpart LOWER('" . $filter['reg_exp'] . "')"; + break; + case "tag": + $query = "LOWER(ttrss_user_entries.tag_cache) $reg_qpart LOWER('". + $filter['reg_exp'] . "')"; + break; + case "link": + $query = "LOWER(ttrss_entries.link) $reg_qpart LOWER('". + $filter['reg_exp'] . "')"; + break; + case "date": - if ($filter["inverse"]) - $query = "NOT ($query)"; + if ($filter["filter_param"] == "before") + $cmp_qpart = "<"; + else + $cmp_qpart = ">="; - if ($query) { - if (DB_TYPE == "pgsql") { - $query = " ($query) AND ttrss_entries.date_entered > NOW() - INTERVAL '14 days'"; - } else { - $query = " ($query) AND ttrss_entries.date_entered > DATE_SUB(NOW(), INTERVAL 14 DAY)"; + $timestamp = date("Y-m-d H:N:s", strtotime($filter["reg_exp"])); + $query = "ttrss_entries.date_entered $cmp_qpart '$timestamp'"; + break; + case "author": + $query = "LOWER(ttrss_entries.author) $reg_qpart LOWER('". + $filter['reg_exp'] . "')"; + break; } - $query .= " AND "; - } + if ($filter["inverse"]) + $query = "NOT ($query)"; - return $query; + if ($query) { + if (DB_TYPE == "pgsql") { + $query = " ($query) AND ttrss_entries.date_entered > NOW() - INTERVAL '14 days'"; + } else { + $query = " ($query) AND ttrss_entries.date_entered > DATE_SUB(NOW(), INTERVAL 14 DAY)"; + } + $query .= " AND "; + } + + return $query; + } else { + return false; + } } // Status codes: |