handlersearch: Allow all characters by escaping FTS

Escape FTS queries by simply treating everything as string.
Though this way a user cannot use operators, it's an improvement
over how it was done before.

Closes: #7
Este commit está contenido en:
Albert S. 2021-03-25 21:40:05 +01:00
padre 2aa11fc2b2
commit d507c507e4
Se han modificado 3 ficheros con 22 adiciones y 12 borrados

Ver fichero

@ -23,6 +23,7 @@ SOFTWARE.
#include "exceptions.h"
#include "sqlitequeryoption.h"
#include "../logger.h"
#include "../utils.h"
/* TODO: copied from C version mostly, review whether access to table other than page is ok */
@ -155,6 +156,22 @@ std::vector<std::string> PageDaoSqlite::fetchCategories(std::string pagename, Qu
return result;
}
std::string PageDaoSqlite::ftsEscape(std::string input)
{
std::string result = "";
for(auto &str : utils::splitByChar(input, ' '))
{
std::string tmp = utils::strreplace(str, "\"", "\"\"");
tmp = "\"" + tmp + "\"" + " ";
result += tmp;
}
if(!result.empty())
{
result.pop_back();
}
return result;
}
std::vector<SearchResult> PageDaoSqlite::search(std::string name, QueryOption option)
{
@ -162,11 +179,10 @@ std::vector<SearchResult> PageDaoSqlite::search(std::string name, QueryOption op
try
{
std::string qo = SqliteQueryOption(option).setPrependWhere(false).setOrderByColumn("rank").build();
// TODO: what is passed here, simple gets thrown to the MATCH operator without escaping or anything and this is
// suboptimal
auto query =
*db << "SELECT page.name FROM search INNER JOIN page ON search.page = page.id WHERE search MATCH ? "
<< name;
<< ftsEscape(name);
query >> [&](std::string pagename) {
SearchResult sresult;
sresult.pagename = pagename;

Ver fichero

@ -8,6 +8,9 @@
#include "sqlitedao.h"
class PageDaoSqlite : public PageDao, protected SqliteDao
{
private:
std::string ftsEscape(std::string input);
public:
PageDaoSqlite()
{

Ver fichero

@ -28,15 +28,6 @@ Response HandlerSearch::handleRequest(const Request &r)
return errorResponse("Missing search term", "No search term supplied");
}
for(int x : q)
{
if(!isalnum(x) && !isspace(x))
{
return errorResponse(
"Invalid char",
"Currently, the search is limited and so only supports alpha numeric characters and spaces");
}
}
auto pageDao = this->database->createPageDao();
QueryOption qo = queryOption(r);
try