From 5cb6ef8e363ff410541d254afb379305d3519d90 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20Malo=C5=A1t=C3=ADk?= <malostik@cesnet.cz>
Date: Tue, 30 Aug 2022 13:55:43 +0200
Subject: [PATCH] Fix: escaped group parameter in getEvents for use with LIKE

to prevent clashing of underscores in client names and underscores used by LIKE.
---
 warden_server/warden_server.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/warden_server/warden_server.py b/warden_server/warden_server.py
index 760443f..0dc445a 100755
--- a/warden_server/warden_server.py
+++ b/warden_server/warden_server.py
@@ -714,10 +714,11 @@ class MySQL(ObjectBase):
         if group or nogroup:
             subquery = []
             for name in (group or nogroup):
-                subquery.append("c.name = %s")      # exact client
+                escaped_name = name.replace('&', '&&').replace("_", "&_").replace("%", "&%")  # escape for LIKE
+                subquery.append("c.name = %s")                                # exact client
                 params.append(name)
-                subquery.append("c.name LIKE %s")   # whole subtree
-                params.append(name + ".%")
+                subquery.append("c.name LIKE CONCAT(%s, '.%%') ESCAPE '&'")   # whole subtree
+                params.append(escaped_name)
 
             query.append(" AND %s (%s)" % (self._get_not(group), " OR ".join(subquery)))
 
-- 
GitLab