Merge pull request #36099 from nextcloud/backport/34924/stable25

[stable25] escape path prefix when doing cache jail search
nextcloud · Jan 19, 2023 · 0fedfd6 · 0fedfd6
2 parents 4f6f5de + 5c743ac
commit 0fedfd6
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 7 deletions.
diff --git a/lib/private/Files/Cache/Wrapper/CacheJail.php b/lib/private/Files/Cache/Wrapper/CacheJail.php
@@ -317,7 +317,7 @@ protected function addJailFilterQuery(ISearchOperator $filter): ISearchOperator
 					new SearchBinaryOperator(ISearchBinaryOperator::OPERATOR_OR,
 						[
 							new SearchComparison(ISearchComparison::COMPARE_EQUAL, 'path', $this->getGetUnjailedRoot()),
-							new SearchComparison(ISearchComparison::COMPARE_LIKE_CASE_SENSITIVE, 'path', $this->getGetUnjailedRoot() . '/%'),
+							new SearchComparison(ISearchComparison::COMPARE_LIKE_CASE_SENSITIVE, 'path', SearchComparison::escapeLikeParameter($this->getGetUnjailedRoot()) . '/%'),
 						],
 					)
 				]

diff --git a/lib/private/Files/Search/QueryOptimizer/PathPrefixOptimizer.php b/lib/private/Files/Search/QueryOptimizer/PathPrefixOptimizer.php
@@ -23,15 +23,12 @@
 
 namespace OC\Files\Search\QueryOptimizer;
 
+use OC\Files\Search\SearchComparison;
 use OCP\Files\Search\ISearchBinaryOperator;
 use OCP\Files\Search\ISearchComparison;
 use OCP\Files\Search\ISearchOperator;
 
 class PathPrefixOptimizer extends QueryOptimizerStep {
-	public function escapeLikeParameter(string $param): string {
-		return addcslashes($param, '\\_%');
-	}
-
 	public function processOperator(ISearchOperator &$operator) {
 		// normally the `path = "$prefix"` search query part of the prefix filter would be generated as an `path_hash = md5($prefix)` sql query
 		// since the `path_hash` sql column usually provides much faster querying that selecting on the `path` sql column
@@ -43,11 +40,11 @@ public function processOperator(ISearchOperator &$operator) {
 			$b = $operator->getArguments()[1];
 			if ($a instanceof ISearchComparison && $b instanceof ISearchComparison && $a->getField() === 'path' && $b->getField() === 'path') {
 				if ($a->getType() === ISearchComparison::COMPARE_LIKE_CASE_SENSITIVE && $b->getType() === ISearchComparison::COMPARE_EQUAL
-					&& $a->getValue() === $this->escapeLikeParameter($b->getValue()) . '/%') {
+					&& $a->getValue() === SearchComparison::escapeLikeParameter($b->getValue()) . '/%') {
 					$b->setQueryHint(ISearchComparison::HINT_PATH_EQ_HASH, false);
 				}
 				if ($b->getType() === ISearchComparison::COMPARE_LIKE_CASE_SENSITIVE && $a->getType() === ISearchComparison::COMPARE_EQUAL
-					&& $b->getValue() === $this->escapeLikeParameter($a->getValue()) . '/%') {
+					&& $b->getValue() === SearchComparison::escapeLikeParameter($a->getValue()) . '/%') {
 					$a->setQueryHint(ISearchComparison::HINT_PATH_EQ_HASH, false);
 				}
 			}

diff --git a/lib/private/Files/Search/SearchComparison.php b/lib/private/Files/Search/SearchComparison.php
@@ -74,4 +74,8 @@ public function getQueryHint(string $name, $default) {
 	public function setQueryHint(string $name, $value): void {
 		$this->hints[$name] = $value;
 	}
+
+	public static function escapeLikeParameter(string $param): string {
+		return addcslashes($param, '\\_%');
+	}
 }