From 7b2ca55089d4fb65e574c7643d4ebdd307943011 Mon Sep 17 00:00:00 2001 From: Omar Roth Date: Mon, 4 Nov 2019 12:26:05 -0500 Subject: [PATCH] Fix escaping in email query --- src/invidious.cr | 2 +- src/invidious/channels.cr | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/invidious.cr b/src/invidious.cr index d2d20284..90b428f6 100644 --- a/src/invidious.cr +++ b/src/invidious.cr @@ -3389,7 +3389,7 @@ post "/feed/webhook/:token" do |env| if emails.empty? values = "'{}'" else - values = "VALUES #{emails.map { |id| %(('#{id}')) }.join(",")}" + values = "VALUES #{emails.map { |email| %((E'#{email.gsub({'\'' => "\\'", '\\' => "\\\\"})}')) }.join(",")}" end PG_DB.exec("UPDATE users SET feed_needs_update = true WHERE email = ANY(#{values})") diff --git a/src/invidious/channels.cr b/src/invidious/channels.cr index 2d911089..71ed4d59 100644 --- a/src/invidious/channels.cr +++ b/src/invidious/channels.cr @@ -281,7 +281,7 @@ def fetch_channel(ucid, db, pull_all_videos = true, locale = nil) if emails.empty? values = "'{}'" else - values = "VALUES #{emails.map { |id| %(('#{id}')) }.join(",")}" + values = "VALUES #{emails.map { |email| %((E'#{email.gsub({'\'' => "\\'", '\\' => "\\\\"})}')) }.join(",")}" end db.exec("UPDATE users SET feed_needs_update = true WHERE email = ANY(#{values})") @@ -349,7 +349,7 @@ def fetch_channel(ucid, db, pull_all_videos = true, locale = nil) if emails.empty? values = "'{}'" else - values = "VALUES #{emails.map { |id| %(('#{id}')) }.join(",")}" + values = "VALUES #{emails.map { |email| %((E'#{email.gsub({'\'' => "\\'", '\\' => "\\\\"})}')) }.join(",")}" end db.exec("UPDATE users SET feed_needs_update = true WHERE email = ANY(#{values})")