[Openvas-commits] r29946 - in trunk/gvm: . src

Thu, 02 Nov 2017 04:04:01 -0700 

Author: timopollmeier
Date: 2017-11-02 12:03:33 +0100 (Thu, 02 Nov 2017)
New Revision: 29946

Modified:
   trunk/gvm/ChangeLog
   trunk/gvm/src/manage_sql.c
Log:
        * src/manage_sql.c (result_detection_reference): Quote the location
        string for SQL queries.

Modified: trunk/gvm/ChangeLog
===================================================================
--- trunk/gvm/ChangeLog 2017-10-31 09:36:17 UTC (rev 29945)
+++ trunk/gvm/ChangeLog 2017-11-02 11:03:33 UTC (rev 29946)
@@ -1,3 +1,8 @@
+2017-11-02  Timo Pollmeier <timo.pollme...@greenbone.net>
+
+       * src/manage_sql.c (result_detection_reference): Quote the location
+       string for SQL queries.
+
 2017-10-27  Matthew Mundell <matthew.mund...@greenbone.net>
 
        * src/gmpd.c (read_from_client_unix, read_from_client_tls): When EOF is

Modified: trunk/gvm/src/manage_sql.c
===================================================================
--- trunk/gvm/src/manage_sql.c  2017-10-31 09:36:17 UTC (rev 29945)
+++ trunk/gvm/src/manage_sql.c  2017-11-02 11:03:33 UTC (rev 29946)
@@ -19310,6 +19310,7 @@
                             char **location, char **oid, char **name)
 {
   char *report, *host = NULL;
+  gchar *quoted_location = NULL;
 
   if ((ref == NULL) || (product == NULL) || (location == NULL) || (oid == NULL)
       || (name == NULL))
@@ -19352,6 +19353,7 @@
                           report, host, result);
   if (*location == NULL)
     goto detect_cleanup;
+  quoted_location = sql_quote (*location);
 
   *product = sql_string ("SELECT name"
                          " FROM report_host_details"
@@ -19362,7 +19364,7 @@
                          " AND source_name = '%s'"
                          " AND name != 'detected_at'"
                          " AND value = '%s';",
-                         report, host, *oid, *location);
+                         report, host, *oid, quoted_location);
   if (*product == NULL)
     goto detect_cleanup;
 
@@ -19383,18 +19385,20 @@
                      " AND nvt = '%s'"
                      " AND (description LIKE '%%%s%%'"
                      "      OR port LIKE '%%%s%%');",
-                     report, host, *oid, *location, *location);
+                     report, host, *oid, quoted_location, quoted_location);
   if (*ref == NULL)
     goto detect_cleanup;
 
   g_free (report);
   g_free (host);
+  g_free (quoted_location);
 
   return 0;
 
 detect_cleanup:
   g_free (report);
   g_free (host);
+  g_free (quoted_location);
 
   return -1;
 }

_______________________________________________
Openvas-commits mailing list
Openvas-commits@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-commits

Reply via email to