[open-ils-commits] r13786 - trunk/Open-ILS/src/c-apps (scottmk)

[svn at svn.open-ils.org]

Author: scottmk
Date: 2009-07-30 22:58:23 -0400 (Thu, 30 Jul 2009)
New Revision: 13786

Modified:
   trunk/Open-ILS/src/c-apps/oils_cstore.c
Log:
When a JSON query refers to a column qualified by a table alias using
the plus-class trick (e.g. "+aou":"opac_visible"): verify that the
column belongs to the indicated class.  If it doesn't, return an error.


Modified: trunk/Open-ILS/src/c-apps/oils_cstore.c
===================================================================
--- trunk/Open-ILS/src/c-apps/oils_cstore.c	2009-07-31 02:26:33 UTC (rev 13785)
+++ trunk/Open-ILS/src/c-apps/oils_cstore.c	2009-07-31 02:58:23 UTC (rev 13786)
@@ -2627,8 +2627,22 @@
 				}
 
 				if ( node->type == JSON_STRING ) {
-					// It's the name of a column
-					buffer_fadd(sql_buf, " \"%s\".%s ", alias_info->alias, jsonObjectGetString( node ) );
+					// It's the name of a column; make sure it belongs to the class
+					const char* fieldname = jsonObjectGetString( node );
+					if( ! osrfHashGet( alias_info->fields, fieldname ) ) {
+						osrfLogError(
+							OSRF_LOG_MARK,
+							"%s: Invalid column name \"%s\" in WHERE clause for table alias \"%s\"",
+							MODULENAME,
+							fieldname,
+							alias_info->alias
+						);
+						jsonIteratorFree( search_itr );
+						buffer_free( sql_buf );
+						return NULL;
+					}
+
+					buffer_fadd(sql_buf, " \"%s\".%s ", alias_info->alias, fieldname );
 				} else {
 					// It's something more complicated
 					char* subpred = searchWHERE( node, alias_info, AND_OP_JOIN, ctx );
@@ -3355,7 +3369,6 @@
 	if (from_function) table = searchValueTransform(join_hash);
 	else table = strdup( curr_query->core.source_def );
 
-
 	if( !table ) {
 		if (ctx)
 			osrfAppSessionStatus(