importer: Fix potential SQL command injection

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/scripts/location-importer.in b/src/scripts/location-importer.in
index d42897691e6a73b935aebb95d029ef2cc655f451..9faf23b6b7fde58c485da56af5b837a972fb3681 100644 (file)
--- a/src/scripts/location-importer.in
+++ b/src/scripts/location-importer.in
@@ -1450,10 +1450,7 @@ class CLI(object):
                                # Conduct a very basic sanity check to rule out CDN issues causing bogus DROP
                                # downloads.
                                if len(fcontent) > 10:
-                                       self.db.execute("""
-                                               DELETE FROM network_overrides WHERE source = '%s';
-                                       """ % name,
-                                       )
+                                       self.db.execute("DELETE FROM network_overrides WHERE source = %s", name)
                                else:
                                        log.error("%s (%s) returned likely bogus file, ignored" % (name, url))
                                        continue
@@ -1505,10 +1502,7 @@ class CLI(object):
                                # Conduct a very basic sanity check to rule out CDN issues causing bogus DROP
                                # downloads.
                                if len(fcontent) > 10:
-                                       self.db.execute("""
-                                               DELETE FROM autnum_overrides WHERE source = '%s';
-                                       """ % name,
-                                       )
+                                       self.db.execute("DELETE FROM autnum_overrides WHERE source = %s", name)
                                else:
                                        log.error("%s (%s) returned likely bogus file, ignored" % (name, url))
                                        continue