escape peername in SQL statements

Some places already called url_encode/url_decode for this value, now it is consistent.
LINBIT · Aug 13, 2019 · 588850a · 588850a
1 parent 0ecfc33
commit 588850a
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/daemon.c b/daemon.c
@@ -77,7 +77,7 @@ void csync_file_update(const char *filename, const char *peername)
 	struct stat st;
 	SQL("Removing file from dirty db",
 			"delete from dirty where filename = '%s' and peername = '%s'",
-			url_encode(filename), peername);
+			url_encode(filename), url_encode(peername));
 	if ( lstat_strict(prefixsubst(filename), &st) != 0 || csync_check_pure(filename) ) {
 		SQL("Removing file from file db",
 			"delete from file where filename = '%s'",

diff --git a/update.c b/update.c
@@ -1156,11 +1156,12 @@ void csync_remove_old()
 		const struct csync_group_host *h;
 
 		const char *filename = url_decode(SQL_V(0));
+		const char *peername = url_decode(SQL_V(2));
 
 		while ((g=csync_find_next(g, filename)) != 0) {
 			if (!strcmp(g->myname, SQL_V(1)))
 				for (h = g->host; h; h = h->next) {
-					if (!strcmp(h->hostname, SQL_V(2)))
+					if (!strcmp(h->hostname, peername))
 						goto this_dirty_record_is_ok;
 				}
 		}