PsychoticNinja/ChanTracker
1
0
Fork 0
mirror of https://github.com/ncoevoet/ChanTracker.git synced 2025-04-29 06:51:09 -05:00
Code Issues Projects Releases Wiki Activity

fixed possible privileges leaks in query

Browse Source
This commit is contained in:
Nicolas Coevoet 2013-10-26 11:52:42 +02:00
parent 2d4f9dfbd7
commit 987f9116c7
1 changed files with 14 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
plugin.py
View File

@ -343,14 +343,13 @@ class Ircd (object):
if not uid or not prefix: if not uid or not prefix:
return [] return []
c = db.cursor() c = db.cursor()
c.execute("""SELECT channel,oper,kind,mask,begin_at,end_at,removed_at,removed_by FROM bans WHERE id=?""",(uid,)) c.execute("""SELECT channel,oper,kind,mask,begin_at,end_at,removed_at,removed_by FROM bans WHERE id=? LIMIT 1""",(uid,))
L = c.fetchall() L = c.fetchall()
if not len(L): if not len(L):
c.close() c.close()
return [] return []
(channel,oper,kind,mask,begin_at,end_at,removed_at,removed_by) = L[0] (channel,oper,kind,mask,begin_at,end_at,removed_at,removed_by) = L[0]
if not ircdb.checkCapability(prefix, '%s,op' % channel): if not ircdb.checkCapability(prefix, '%s,op' % channel):
if prefix != irc.prefix:
c.close() c.close()
return [] return []
results = [] results = []
@ -387,7 +386,6 @@ class Ircd (object):
if not channel or not mode or not prefix: if not channel or not mode or not prefix:
return [] return []
if not ircdb.checkCapability(prefix, '%s,op' % channel): if not ircdb.checkCapability(prefix, '%s,op' % channel):
if prefix != irc.prefix:
return [] return []
chan = self.getChan(irc,channel) chan = self.getChan(irc,channel)
results = [] results = []
@ -431,7 +429,6 @@ class Ircd (object):
return [] return []
(channel,oper,kind,mask,begin_at,end_at,removed_at,removed_by) = L[0] (channel,oper,kind,mask,begin_at,end_at,removed_at,removed_by) = L[0]
if not ircdb.checkCapability(prefix, '%s,op' % channel): if not ircdb.checkCapability(prefix, '%s,op' % channel):
if prefix != irc.prefix:
c.close() c.close()
return [] return []
results = [] results = []
@ -514,7 +511,7 @@ class Ircd (object):
items = c.fetchall() items = c.fetchall()
for item in items: for item in items:
(uid,mask,kind,channel) = item (uid,mask,kind,channel) = item
if isOwner or ircdb.checkCapability(prefix, '%s,op' % channel) or prefix != irc.prefix: if isOwner or ircdb.checkCapability(prefix, '%s,op' % channel):
results.append([uid,mask,kind,channel]) results.append([uid,mask,kind,channel])
if len(results): if len(results):
results.sort(reverse=True) results.sort(reverse=True)
@ -539,7 +536,6 @@ class Ircd (object):
return [] return []
(channel,oper,kind,mask,begin_at,end_at,removed_at,removed_by) = L[0] (channel,oper,kind,mask,begin_at,end_at,removed_at,removed_by) = L[0]
if not ircdb.checkCapability(prefix, '%s,op' % channel): if not ircdb.checkCapability(prefix, '%s,op' % channel):
if prefix != irc.prefix:
c.close() c.close()
return [] return []
results = [] results = []
@ -548,7 +544,11 @@ class Ircd (object):
if len(L): if len(L):
for item in L: for item in L:
(full,log) = item (full,log) = item
results.append(full) message = full
for line in log.split('\n'):
message = '%s -> %s' % (message,line)
break
results.append(message)
else: else:
results.append('nobody affected') results.append('nobody affected')
c.close() c.close()
@ -813,7 +813,6 @@ class Chan (object):
index = 0 index = 0
logs = [] logs = []
logs.append('%s matched by %s' % (n,m)) logs.append('%s matched by %s' % (n,m))
logs.append('%s ip:%s $a:%s $r:%s' % (n.prefix,n.ip,n.account,n.realname))
for line in n.logs: for line in n.logs:
(ts,target,message) = n.logs[index] (ts,target,message) = n.logs[index]
index += 1 index += 1