[open-ils-commits] r12606 - trunk/Open-ILS/src/c-apps (scottmk)
svn at svn.open-ils.org
svn at svn.open-ils.org
Thu Mar 19 09:55:50 EDT 2009
Author: scottmk
Date: 2009-03-19 09:55:48 -0400 (Thu, 19 Mar 2009)
New Revision: 12606
Modified:
trunk/Open-ILS/src/c-apps/oils_cstore.c
Log:
In searchINPredicate function of oils_cstore.c: tighten
input validation.
1. Require that the operand of IN or NOT IN be either a
JSON_ARRAY or a JSON_OBJECT.
2. Require that an item in an IN list be either a
JSON_STRING or a JSON_NUMBER.
Modified: trunk/Open-ILS/src/c-apps/oils_cstore.c
===================================================================
--- trunk/Open-ILS/src/c-apps/oils_cstore.c 2009-03-19 06:51:33 UTC (rev 12605)
+++ trunk/Open-ILS/src/c-apps/oils_cstore.c 2009-03-19 13:55:48 UTC (rev 12606)
@@ -1696,6 +1696,14 @@
else
buffer_add(sql_buf, ", ");
+ // Sanity check
+ if ( in_item->type != JSON_STRING && in_item->type != JSON_NUMBER ) {
+ osrfLogError(OSRF_LOG_MARK, "%s: Expected string or number within IN list; found %s",
+ MODULENAME, json_type( in_item->type ) );
+ buffer_free(sql_buf);
+ return NULL;
+ }
+
// Append the literal value -- quoted if not a number
if ( JSON_NUMBER == in_item->type ) {
char* val = jsonNumberToDBString( field, in_item );
@@ -1726,6 +1734,11 @@
buffer_free( sql_buf );
return NULL;
}
+ } else {
+ osrfLogError(OSRF_LOG_MARK, "%s: Expected object or array for IN clause; found %s",
+ MODULENAME, json_type( node->type ) );
+ buffer_free(sql_buf);
+ return NULL;
}
OSRF_BUFFER_ADD_CHAR( sql_buf, ')' );
More information about the open-ils-commits
mailing list