[mew-dist 28624] msg-id:に変な文字があるときsmewがエラー終了

[KOIE Hidetaka ( 鯉江英隆 )]

smewがこんなエラー↓
/usr/local/lib/ruby/gems/1.8/gems/sqlite3-ruby-1.2.2/lib/sqlite3/errors.rb:62: `unrecognized token: "5_5b"' (SQLite3::SQLException)
	from /usr/local/lib/ruby/gems/1.8/gems/sqlite3-ruby-1.2.2/lib/sqlite3/statement.rb:39:in `initialize'
	from /usr/local/lib/ruby/gems/1.8/gems/sqlite3-ruby-1.2.2/lib/sqlite3/database.rb:154:in `new'
	from /usr/local/lib/ruby/gems/1.8/gems/sqlite3-ruby-1.2.2/lib/sqlite3/database.rb:154:in `prepare'
	from /usr/local/lib/ruby/gems/1.8/gems/sqlite3-ruby-1.2.2/lib/sqlite3/database.rb:181:in `execute'
	from ./smew:20:in `select_by_id'
	from ./smew:83:in `search_ancestors'
	from ./smew:142
になるので調べてみたら
message-id: <20080813122201t'5_5b at example.com>
というように「'」を含んでいるメイルがあり
(こんな文字が入っていていいのかは別にして)
SQL injectionになっていました。

パッチを書いてみましたが、これでよいのか自信はありません。
SQLにくわしい人おねがいします。

Index: smew
===================================================================
RCS file: /cvsmew/mew/bin/smew,v
retrieving revision 1.7
diff -u -p -r1.7 smew
--- smew	16 May 2008 07:18:27 -0000	1.7
+++ smew	17 Sep 2008 07:33:58 -0000
@@ -15,9 +15,13 @@ require 'sqlite3'
 ## DB search
 ##
 
+def xxquote(s)
+  s ? SQLite3::Database.quote(s) : nil
+end
+
 def select_by_id(hash, db, id, mydir)
   ret = nil
-  db.execute("SELECT * FROM mew WHERE (mew.id = '#{id}');") do |ent|
+  db.execute("SELECT * FROM mew WHERE (mew.id = '#{xxquote(id)}');") do |ent|
     if push_results(hash, ent, mydir)
       ret = ent
     end
@@ -32,7 +36,7 @@ def select_by_parid(hash, db, idvec, myd
     if cond != ""
       cond += " OR "
     end
-    cond += "mew.parid = '#{id}'"
+    cond += "mew.parid = '#{xxquote(id)}'"
   end
   db.execute("SELECT * FROM mew WHERE (#{cond});") do |ent|
     if push_results(hash, ent, mydir)

--
KOIE Hidetaka <hide at example.com>