summary refs log tree commit diff
path: root/synapse/storage
diff options
context:
space:
mode:
authorMark Haines <mark.haines@matrix.org>2016-07-05 10:39:13 +0100
committerMark Haines <mark.haines@matrix.org>2016-07-05 10:39:13 +0100
commitd44d11d864714d4d99953bdae6625973519f120f (patch)
tree2afee741266f4c3c3927306a2a358bfed3fd1014 /synapse/storage
parentUse different SQL for postgres and sqlite3 for when using multicolumn indexes (diff)
downloadsynapse-d44d11d864714d4d99953bdae6625973519f120f.tar.xz
Use true/false for boolean parameter inclusive to avoid potential for sqli, and possibly make the code clearer
Diffstat (limited to '')
-rw-r--r--synapse/storage/event_push_actions.py2
-rw-r--r--synapse/storage/stream.py10
2 files changed, 7 insertions, 5 deletions
diff --git a/synapse/storage/event_push_actions.py b/synapse/storage/event_push_actions.py
index e3e2e8083e..3d93285f84 100644
--- a/synapse/storage/event_push_actions.py
+++ b/synapse/storage/event_push_actions.py
@@ -86,7 +86,7 @@ class EventPushActionsStore(SQLBaseStore):
                 " user_id = ?"
                 " AND room_id = ?"
                 " AND %s"
-            ) % (lower_bound(token, self.database_engine, inclusive=""),)
+            ) % (lower_bound(token, self.database_engine, inclusive=False),)
 
             txn.execute(sql, (user_id, room_id))
             row = txn.fetchone()
diff --git a/synapse/storage/stream.py b/synapse/storage/stream.py
index 23b3a40aaf..56304999dc 100644
--- a/synapse/storage/stream.py
+++ b/synapse/storage/stream.py
@@ -55,7 +55,8 @@ _STREAM_TOKEN = "stream"
 _TOPOLOGICAL_TOKEN = "topological"
 
 
-def lower_bound(token, engine, inclusive=""):
+def lower_bound(token, engine, inclusive=False):
+    inclusive = "=" if inclusive else ""
     if token.topological is None:
         return "(%d <%s %s)" % (token.stream, inclusive, "stream_ordering")
     else:
@@ -74,7 +75,8 @@ def lower_bound(token, engine, inclusive=""):
         )
 
 
-def upper_bound(token, engine, inclusive="="):
+def upper_bound(token, engine, inclusive=True):
+    inclusive = "=" if inclusive else ""
     if token.topological is None:
         return "(%d >%s %s)" % (token.stream, inclusive, "stream_ordering")
     else:
@@ -616,13 +618,13 @@ class StreamStore(SQLBaseStore):
             "SELECT topological_ordering, stream_ordering, event_id FROM events"
             " WHERE room_id = ? AND %s"
             " ORDER BY topological_ordering DESC, stream_ordering DESC LIMIT ?"
-        ) % (upper_bound(token, self.database_engine, inclusive=""),)
+        ) % (upper_bound(token, self.database_engine, inclusive=False),)
 
         query_after = (
             "SELECT topological_ordering, stream_ordering, event_id FROM events"
             " WHERE room_id = ? AND %s"
             " ORDER BY topological_ordering ASC, stream_ordering ASC LIMIT ?"
-        ) % (lower_bound(token, self.database_engine, inclusive=""),)
+        ) % (lower_bound(token, self.database_engine, inclusive=False),)
 
         txn.execute(query_before, (room_id, before_limit))