From 4fe6ae9811238b5e4221b033f9a7decdeadf9ef3 Mon Sep 17 00:00:00 2001
From: shortcutme <tamas@zeronet.io>
Date: Sat, 15 Dec 2018 17:45:17 +0100
Subject: [PATCH] Allow only SELECT in storage.query

---
 src/Site/SiteStorage.py | 3 +++
 src/Ui/UiWebsocket.py   | 2 --
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/Site/SiteStorage.py b/src/Site/SiteStorage.py
index 01066c9f..d901d5fa 100644
--- a/src/Site/SiteStorage.py
+++ b/src/Site/SiteStorage.py
@@ -173,6 +173,9 @@ class SiteStorage(object):
 
     # Execute sql query or rebuild on dberror
     def query(self, query, params=None):
+        if not query.strip().upper().startswith("SELECT"):
+            raise Exception("Only SELECT query supported")
+
         if self.event_db_busy:  # Db not ready for queries
             self.log.debug("Wating for db...")
             self.event_db_busy.get()  # Wait for event
diff --git a/src/Ui/UiWebsocket.py b/src/Ui/UiWebsocket.py
index 26ef7552..39ce27bd 100644
--- a/src/Ui/UiWebsocket.py
+++ b/src/Ui/UiWebsocket.py
@@ -669,8 +669,6 @@ class UiWebsocket(object):
             s = time.time()
         rows = []
         try:
-            if not query.strip().upper().startswith("SELECT"):
-                raise Exception("Only SELECT query supported")
             res = self.site.storage.query(query, params)
         except Exception, err:  # Response the error to client
             self.log.error("DbQuery error: %s" % err)