SQL injection bug in EPG search

[sgilani]

Hey sub, looks like there's a potential Bobby Tables going on. :p

easy repro, search the epg for "can't" and the logs reveal it. This would be a nasty attack vector potentially via Kodi. At the very least, search won't work properly.

Code:

2018-11-24 22:05:01.912    [ERROR][1]    Unexpected error in FirstLetterSearch(): System.Data.SQLite.SQLiteException (0x80004005): SQL logic error or missing databasenear "t": syntax error
   at System.Data.SQLite.SQLite3.Prepare(SQLiteConnection cnn, String strSql, SQLiteStatement previous, UInt32 timeoutMS, String& strRemain)
   at System.Data.SQLite.SQLiteCommand.BuildNextCommand()
   at System.Data.SQLite.SQLiteCommand.GetStatement(Int32 index)
   at System.Data.SQLite.SQLiteDataReader.NextResult()
   at System.Data.SQLite.SQLiteDataReader..ctor(SQLiteCommand cmd, CommandBehavior behave)
   at System.Data.SQLite.SQLiteCommand.ExecuteReader(CommandBehavior behavior)
   at System.Data.SQLite.SQLiteCommand.ExecuteDbDataReader(CommandBehavior behavior)
   at System.Data.Common.DbCommand.ExecuteReader()
   at NextPVR.TV.SearchGuide.FreeTextSearch(String freeText)

[sub]

Hey sub, looks like there's a potential Bobby Tables going on. :p

The attached patch fixes this bug in the NextPVR search screen.

In general, the app doesn't usually construct sql. This screen did though.

easy repro, search the epg for "can't" and the logs reveal it. This would be a nasty attack vector potentially via Kodi. At the very least, search won't work properly.

Kodi doesn't call a search API on the NextPVR. There is a network callable search api though, used by the iOS/Android clients, but it's unrelated to the implementation used on that screen, and doesn't construct sql, and not susceptible to this type of problem.