1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
|
From: Kovid Goyal <kovid@kovidgoyal.net>
Date: Tue, 30 Jul 2024 13:36:39 +0530
Subject: Fix #2075131 [Private
bug](https://bugs.launchpad.net/calibre/+bug/2075131)
Origin: backport, https://github.com/kovidgoyal/calibre/commit/d56574285e8859d3d715eb7829784ee74337b7d7.patch
Forwarded: not-needed
Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2024-7009
---
src/calibre/db/backend.py | 12 +++++++-----
src/calibre/db/fts/connect.py | 8 +++++---
2 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/src/calibre/db/backend.py b/src/calibre/db/backend.py
index 614abdb..8cdaee3 100644
--- a/src/calibre/db/backend.py
+++ b/src/calibre/db/backend.py
@@ -1917,18 +1917,20 @@ class DB:
fts_engine_query = unicode_normalize(fts_engine_query)
fts_table = 'annotations_fts_stemmed' if use_stemming else 'annotations_fts'
text = 'annotations.searchable_text'
+ data = []
if highlight_start is not None and highlight_end is not None:
if snippet_size is not None:
- text = 'snippet({fts_table}, 0, "{highlight_start}", "{highlight_end}", "…", {snippet_size})'.format(
- fts_table=fts_table, highlight_start=highlight_start, highlight_end=highlight_end,
- snippet_size=max(1, min(snippet_size, 64)))
+ text = "snippet({fts_table}, 0, ?, ?, '…', {snippet_size})".format(
+ fts_table=fts_table, snippet_size=max(1, min(snippet_size, 64)))
else:
- text = f'highlight({fts_table}, 0, "{highlight_start}", "{highlight_end}")'
+ text = f"highlight({fts_table}, 0, ?, ?)"
+ data.append(highlight_start)
+ data.append(highlight_end)
query = 'SELECT {0}.id, {0}.book, {0}.format, {0}.user_type, {0}.user, {0}.annot_data, {1} FROM {0} '
query = query.format('annotations', text)
query += ' JOIN {fts_table} ON annotations.id = {fts_table}.rowid'.format(fts_table=fts_table)
query += f' WHERE {fts_table} MATCH ?'
- data = [fts_engine_query]
+ data.append(fts_engine_query)
if restrict_to_user:
query += ' AND annotations.user_type = ? AND annotations.user = ?'
data += list(restrict_to_user)
diff --git a/src/calibre/db/fts/connect.py b/src/calibre/db/fts/connect.py
index 9ea3d5c..c575afb 100644
--- a/src/calibre/db/fts/connect.py
+++ b/src/calibre/db/fts/connect.py
@@ -156,20 +156,22 @@ class FTS:
return
fts_engine_query = unicode_normalize(fts_engine_query)
fts_table = 'books_fts' + ('_stemmed' if use_stemming else '')
+ data = []
if return_text:
text = 'books_text.searchable_text'
if highlight_start is not None and highlight_end is not None:
if snippet_size is not None:
- text = f'snippet("{fts_table}", 0, "{highlight_start}", "{highlight_end}", "…", {max(1, min(snippet_size, 64))})'
+ text = f'''snippet("{fts_table}", 0, ?, ?, '…', {max(1, min(snippet_size, 64))})'''
else:
- text = f'highlight("{fts_table}", 0, "{highlight_start}", "{highlight_end}")'
+ text = f'''highlight("{fts_table}", 0, ?, ?)'''
+ data.append(highlight_start)
+ data.append(highlight_end)
text = ', ' + text
else:
text = ''
query = 'SELECT {0}.id, {0}.book, {0}.format {1} FROM {0} '.format('books_text', text)
query += f' JOIN {fts_table} ON fts_db.books_text.id = {fts_table}.rowid'
query += ' WHERE '
- data = []
conn = self.get_connection()
temp_table_name = ''
if restrict_to_book_ids:
|
