[open-ils-commits] r16748 - branches/rel_1_6/Open-ILS/src/c-apps (dbs)

svn at svn.open-ils.org svn at svn.open-ils.org
Fri Jun 18 00:46:24 EDT 2010 

Author: dbs
Date: 2010-06-18 00:46:20 -0400 (Fri, 18 Jun 2010)
New Revision: 16748

Modified:
   branches/rel_1_6/Open-ILS/src/c-apps/oils_cstore.c
Log:
Backport security fix r16747 from trunk

1. Disable fleshing for PCRUD.  Otherwise fleshing would provide a
back door whereby a user could see stuff he has no permission to see.

2. For the id_list method: strip out the "flesh_fields" entry, not
the "flesh_columns" entry (which doesn't exist).  This actually makes
no difference, but if we're going to do something useless, we might
as well do it right.


Modified: branches/rel_1_6/Open-ILS/src/c-apps/oils_cstore.c
===================================================================
--- branches/rel_1_6/Open-ILS/src/c-apps/oils_cstore.c	2010-06-17 19:16:45 UTC (rev 16747)
+++ branches/rel_1_6/Open-ILS/src/c-apps/oils_cstore.c	2010-06-18 04:46:20 UTC (rev 16748)
@@ -94,6 +94,12 @@
 static jsonObject* jsonNULL = NULL; // 
 static int max_flesh_depth = 100;
 
+#ifdef PCRUD
+static int enforce_pcrud = 1;     // Boolean
+#else
+static int enforce_pcrud = 0;     // Boolean
+#endif
+
 /* called when this process is about to exit */
 void osrfAppChildExit() {
     osrfLogDebug(OSRF_LOG_MARK, "Child is exiting, disconnecting from database...");
@@ -804,7 +810,7 @@
             jsonObjectRemoveKey( jsonObjectGetIndex( _p, 1 ), "select" );
             jsonObjectRemoveKey( jsonObjectGetIndex( _p, 1 ), "no_i18n" );
             jsonObjectRemoveKey( jsonObjectGetIndex( _p, 1 ), "flesh" );
-            jsonObjectRemoveKey( jsonObjectGetIndex( _p, 1 ), "flesh_columns" );
+            jsonObjectRemoveKey( jsonObjectGetIndex( _p, 1 ), "flesh_fields" );
         } else {
             jsonObjectSetIndex( _p, 1, jsonNewObjectType(JSON_HASH) );
         }
@@ -4271,7 +4277,7 @@
 	dbi_result_free(result);
 	free(sql);
 
-	if (res_list->size && order_hash) {
+	if (res_list->size && order_hash && ! enforce_pcrud) {
 		_tmp = jsonObjectGetKeyConst( order_hash, "flesh" );
 		if (_tmp) {
 			int x = (int)jsonObjectGetNumber(_tmp);

More information about the open-ils-commits mailing list