adjustments to facilitate insertion and deletion of items containing

quotation marks . _quote_escape(): (new) subs ' for '' for inbound item and returns item . insert: swap ' for ''' on single-item processing run string and list items through _quote_escape() to provide proper sqlite3 escaping of single-quote (' -> '') . delete: swap ' for """ on single-item processing ibid: _quote_escape()
2024-11-08 09:23:56 +00:00 · 2015-05-20 12:57:25 -05:00 · 2015-05-20 12:57:25 -05:00 · ee8be7529c
commit ee8be7529c
parent b39e2d950d
1 changed files with 20 additions and 4 deletions
--- a/salt/queues/sqlite_queue.py
+++ b/salt/queues/sqlite_queue.py
@ -19,6 +19,7 @@ from __future__ import absolute_import
 import glob
 import logging
 import os
+import re
 import sqlite3 as lite
 from salt.exceptions import SaltInvocationError

@ -120,6 +121,17 @@ def list_length(queue):
    return len(items)


+def _quote_escape(item):
+    '''
+    Make sure single quotes are escaped properly in sqlite3 fashion.
+    e.g.: ' becomes ''
+    '''
+
+    rex_sqlquote = re.compile("""'""", re.M)
+
+    return rex_sqlquote.sub("""''""", item)
+
+
 def insert(queue, items):
    '''
    Add an item or items to a queue
@ -128,7 +140,8 @@ def insert(queue, items):
    with con:
        cur = con.cursor()
        if isinstance(items, str):
-            cmd = 'INSERT INTO {0}(name) VALUES("{1}")'.format(queue, items)
+            items = _quote_escape(items)
+            cmd = '''INSERT INTO {0}(name) VALUES('{1}')'''.format(queue, items)
            log.debug('SQL Query: {0}'.format(cmd))
            try:
                cur.execute(cmd)
@ -136,7 +149,8 @@ def insert(queue, items):
                return('Item already exists in this queue. '
                       'sqlite error: {0}'.format(esc))
        if isinstance(items, list):
-            cmd = 'INSERT INTO {0}(name) VALUES(?)'.format(queue)
+            items = [_quote_escape(el) for el in items]
+            cmd = "INSERT INTO {0}(name) VALUES(?)".format(queue)
            log.debug('SQL Query: {0}'.format(cmd))
            newitems = []
            for item in items:
@ -158,11 +172,13 @@ def delete(queue, items):
    with con:
        cur = con.cursor()
        if isinstance(items, str):
-            cmd = 'DELETE FROM {0} WHERE name = "{1}"'.format(queue, items)
+            items = _quote_escape(items)
+            cmd = """DELETE FROM {0} WHERE name = '{1}'""".format(queue, items)
            log.debug('SQL Query: {0}'.format(cmd))
            cur.execute(cmd)
            return True
        if isinstance(items, list):
+            items = [_quote_escape(el) for el in items]
            cmd = 'DELETE FROM {0} WHERE name = ?'.format(queue)
            log.debug('SQL Query: {0}'.format(cmd))
            newitems = []