Attach Database didn't escape filepath of selected file

mgrojo · mgrojo · commit 4081debd71b2 · 2019-09-22T21:22:34.000+02:00
See issue #2002
diff --git a/src/sql/ObjectIdentifier.cpp b/src/sql/ObjectIdentifier.cpp
@@ -53,6 +53,11 @@ std::string escapeIdentifier(const std::string& id)
     }
 }
 
+std::string escapeString(const std::string& literal)
+{
+  return '\'' + duplicate_char(literal, '\'') + '\'';
+}
+
 bool ObjectIdentifier::fromSerialised(const std::string& serialised)
 {
     auto pos_comma = serialised.find(",");
diff --git a/src/sql/ObjectIdentifier.h b/src/sql/ObjectIdentifier.h
@@ -20,6 +20,9 @@ char getIdentifierQuoteChar();
 // Add quotes to an identifier
 std::string escapeIdentifier(const std::string& id);
 
+// Add SQL quotes to a string literal and escape any single quote character
+std::string escapeString(const std::string& literal);
+
 // Object identifier consisting of schema name and object name
 class ObjectIdentifier
 {
diff --git a/src/sqlitedb.cpp b/src/sqlitedb.cpp
@@ -45,6 +45,10 @@ QString escapeIdentifier(const QString& id)
 {
     return QString::fromStdString(escapeIdentifier(id.toStdString()));
 }
+QString escapeString(const QString& literal)
+{
+    return QString::fromStdString(escapeString(literal.toStdString()));
+}
 }
 
 // collation callbacks
@@ -324,7 +328,7 @@ bool DBBrowserDB::attach(const QString& filePath, QString attach_as)
         }
     }
 
-    if(!executeSQL(QString("ATTACH '%1' AS %2 %3").arg(filePath).arg(sqlb::escapeIdentifier(attach_as)).arg(key), false))
+    if(!executeSQL(QString("ATTACH %1 AS %2 %3").arg(sqlb::escapeString(filePath)).arg(sqlb::escapeIdentifier(attach_as)).arg(key), false))
     {
         QMessageBox::warning(nullptr, qApp->applicationName(), lastErrorMessage);
         return false;
@@ -334,7 +338,7 @@ bool DBBrowserDB::attach(const QString& filePath, QString attach_as)
     delete cipherSettings;
 #else
     // Attach database
-    if(!executeSQL(QString("ATTACH '%1' AS %2").arg(filePath).arg(sqlb::escapeIdentifier(attach_as)), false))
+    if(!executeSQL(QString("ATTACH %1 AS %2").arg(sqlb::escapeString(filePath)).arg(sqlb::escapeIdentifier(attach_as)), false))
     {
         QMessageBox::warning(nullptr, qApp->applicationName(), lastErrorMessage);
         return false;
diff --git a/src/sqlitedb.h b/src/sqlitedb.h
@@ -33,6 +33,7 @@ int collCompare(void* pArg, int sizeA, const void* sA, int sizeB, const void* sB
 namespace sqlb
 {
 QString escapeIdentifier(const QString& id);
+QString escapeString(const QString& literal);
 }
 
 /// represents a single SQLite database. except when noted otherwise,

Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,11 @@ std::string escapeIdentifier(const std::string& id)`
`53`	`53`	`}`
`54`	`54`	`}`
`55`	`55`
	`56`	`+std::string escapeString(const std::string& literal)`
	`57`	`+{`
	`58`	`+ return '\'' + duplicate_char(literal, '\'') + '\'';`
	`59`	`+}`
	`60`	`+`
`56`	`61`	`bool ObjectIdentifier::fromSerialised(const std::string& serialised)`
`57`	`62`	`{`
`58`	`63`	`auto pos_comma = serialised.find(",");`
Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,9 @@ char getIdentifierQuoteChar();`
`20`	`20`	`// Add quotes to an identifier`
`21`	`21`	`std::string escapeIdentifier(const std::string& id);`
`22`	`22`
	`23`	`+// Add SQL quotes to a string literal and escape any single quote character`
	`24`	`+std::string escapeString(const std::string& literal);`
	`25`	`+`
`23`	`26`	`// Object identifier consisting of schema name and object name`
`24`	`27`	`class ObjectIdentifier`
`25`	`28`	`{`
Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,10 @@ QString escapeIdentifier(const QString& id)`
`45`	`45`	`{`
`46`	`46`	`return QString::fromStdString(escapeIdentifier(id.toStdString()));`
`47`	`47`	`}`
	`48`	`+QString escapeString(const QString& literal)`
	`49`	`+{`
	`50`	`+ return QString::fromStdString(escapeString(literal.toStdString()));`
	`51`	`+}`
`48`	`52`	`}`
`49`	`53`
`50`	`54`	`// collation callbacks`
`@@ -324,7 +328,7 @@ bool DBBrowserDB::attach(const QString& filePath, QString attach_as)`
`324`	`328`	`}`
`325`	`329`	`}`
`326`	`330`
`327`		`- if(!executeSQL(QString("ATTACH '%1' AS %2 %3").arg(filePath).arg(sqlb::escapeIdentifier(attach_as)).arg(key), false))`
	`331`	`+ if(!executeSQL(QString("ATTACH %1 AS %2 %3").arg(sqlb::escapeString(filePath)).arg(sqlb::escapeIdentifier(attach_as)).arg(key), false))`
`328`	`332`	`{`
`329`	`333`	`QMessageBox::warning(nullptr, qApp->applicationName(), lastErrorMessage);`
`330`	`334`	`return false;`
`@@ -334,7 +338,7 @@ bool DBBrowserDB::attach(const QString& filePath, QString attach_as)`
`334`	`338`	`delete cipherSettings;`
`335`	`339`	`#else`
`336`	`340`	`// Attach database`
`337`		`- if(!executeSQL(QString("ATTACH '%1' AS %2").arg(filePath).arg(sqlb::escapeIdentifier(attach_as)), false))`
	`341`	`+ if(!executeSQL(QString("ATTACH %1 AS %2").arg(sqlb::escapeString(filePath)).arg(sqlb::escapeIdentifier(attach_as)), false))`
`338`	`342`	`{`
`339`	`343`	`QMessageBox::warning(nullptr, qApp->applicationName(), lastErrorMessage);`
`340`	`344`	`return false;`
Original file line number	Diff line number	Diff line change
`@@ -33,6 +33,7 @@ int collCompare(void* pArg, int sizeA, const void* sA, int sizeB, const void* sB`
`33`	`33`	`namespace sqlb`
`34`	`34`	`{`
`35`	`35`	`QString escapeIdentifier(const QString& id);`
	`36`	`+QString escapeString(const QString& literal);`
`36`	`37`	`}`
`37`	`38`
`38`	`39`	`/// represents a single SQLite database. except when noted otherwise,`