[open-ils-commits] [GIT] Evergreen ILS branch rel_2_1 updated. a2d24cda30cabd2237cca46b085d01f0213558a6
Evergreen Git
git at git.evergreen-ils.org
Wed Apr 17 15:33:51 EDT 2013
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".
The branch, rel_2_1 has been updated
via a2d24cda30cabd2237cca46b085d01f0213558a6 (commit)
via 778083fbf7082e1cafcd3f2c66f296cf34519e4d (commit)
via 8c00f551d54cf69ee401ba4961bba4bdfef4b7dc (commit)
via 0aaec933cce3d53638cce0754825521478719095 (commit)
from 0253ee1b3d203137ae7397353d1b5570552a15be (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit a2d24cda30cabd2237cca46b085d01f0213558a6
Author: Galen Charlton <gmc at esilibrary.com>
Date: Wed Apr 17 14:40:57 2013 -0400
commit ChangeLog for 2.1.6
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
diff --git a/ChangeLog b/ChangeLog
index 87b976e..fb634b5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,109 +1,45 @@
-commit 693c174dd014b9b686c9eb169c75f2e5e5837416
-Author: Dan Scott <dscott at laurentian.ca>
-Date: Wed Jan 16 00:00:22 2013 -0500
+commit 778083fbf7082e1cafcd3f2c66f296cf34519e4d
+Author: Galen Charlton <gmc at esilibrary.com>
+Date: Wed Apr 17 14:37:59 2013 -0400
- Bumping version numbers for 2.1.5
-
- Also, add pertinent release notes entry.
+ bump up version numbers for 2.1.6
- Signed-off-by: Dan Scott <dscott at laurentian.ca>
+ Signed-off-by: Galen Charlton <gmc at esilibrary.com>
1 1 Open-ILS/src/perlmods/lib/OpenILS/Application.pm
-1 2 Open-ILS/src/sql/Pg/002.schema.config.sql
-2 2 Open-ILS/xul/staff_client/windowssetup.nsi
+1 1 Open-ILS/src/sql/Pg/002.schema.config.sql
4 4 README
-35 0 RELEASE_NOTES.txt
+8 0 RELEASE_NOTES.txt
2 2 configure.ac
-commit 6fbd73b6456c34195ca1b975dbaa4dda8127696f
-Author: Galen Charlton <gmc at esilibrary.com>
-Date: Tue Jan 15 11:30:41 2013 -0500
+commit 8c00f551d54cf69ee401ba4961bba4bdfef4b7dc
+Author: Dan Scott <dscott at laurentian.ca>
+Date: Fri Apr 5 01:53:55 2013 -0400
- LP#1098377: protect against even more cstore segfaults
+ Prevent compiler warning about unused numtype var
- Following up on the preceding patch, passing null
- as the savepoint name to savepoint.release and
- savepoint.rollback would also segfault cstore.
+ There was a dangling variable left around that was making noise in the
+ compiler. Credit to Jeff Godin for the heads-up.
- Signed-off-by: Galen Charlton <gmc at esilibrary.com>
Signed-off-by: Dan Scott <dscott at laurentian.ca>
-
-12 0 Open-ILS/src/c-apps/oils_sql.c
-
-commit 32dafc405e39159adf9ad15fd78c07d4c0c38070
-Author: Bill Erickson <berick at esilibrary.com>
-Date: Tue Jan 15 10:58:16 2013 -0500
-
- Verify savepoint name is non-null
-
- Before we attempt to mangle the name, let's ensure that it's non-null.
- Otherwise, segfaults ensue.
-
Signed-off-by: Bill Erickson <berick at esilibrary.com>
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
-6 0 Open-ILS/src/c-apps/oils_sql.c
+1 2 Open-ILS/src/c-apps/oils_sql.c
-commit 8e5dfdc39c84d86e62c27670fd06cb2a7eac8a27
-Author: Dan Scott <dscott at laurentian.ca>
-Date: Fri Jan 11 01:32:13 2013 -0500
+commit 0aaec933cce3d53638cce0754825521478719095
+Author: Mike Rylander <mrylander at gmail.com>
+Date: Fri Apr 5 01:52:16 2013 -0400
- Protect against overly long savepoint names
+ Address SQL injection vulnerability in SQL ORM layer
- Per http://postgresql.org/docs/9.1/static/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS,
- the maximum identifier length works out to being 63 bytes (+1 for the
- null terminator), so to avoid potential memory pressure by a 10GB string
- somehow being passed in as the savepoint name, malloc no more than 64
- bytes and copy no more than 63 bytes from the incoming name to the
- escaped name.
+ If the user-supplied value and the db column are both numbers
+ (jsonObject->type == JSON_NUMBER, get_primitive(field) == "number") then
+ don't quote. Otherwise, quote.
+ Signed-off-by: Mike Rylander <mrylander at gmail.com>
Signed-off-by: Dan Scott <dscott at laurentian.ca>
+ Signed-off-by: Bill Erickson <berick at esilibrary.com>
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
-16 2 Open-ILS/src/c-apps/oils_sql.c
-
-commit 4866458029567fc2af36a382dcc7fe3316e74350
-Author: Galen Charlton <gmc at esilibrary.com>
-Date: Fri Jan 11 02:30:50 2013 -0500
-
- LP#1098377: sanitize savepoint names
-
- When invoking open-ils.{cstore,pcrud,rstore}.savepoint.*, the
- caller supplies a name for the savepoint. However, the savepoint
- names could be constructed so that the caller could execute
- arbitrary SQL. This patch sanitizes the name so that it contains
- only alphanumeric and underscore characters.
-
- Signed-off-by: Galen Charlton <gmc at esilibrary.com>
- Signed-off-by: Dan Scott <dscott at laurentian.ca>
-
- Conflicts:
- Open-ILS/src/c-apps/oils_sql.c
-
-37 3 Open-ILS/src/c-apps/oils_sql.c
-
-commit 4e641eb976d0ed22cb96c76287622d34b32a886f
-Author: Dan Scott <dscott at laurentian.ca>
-Date: Fri Nov 2 12:28:39 2012 -0400
-
- Update ChangeLog for 2.1.4 release
-
- Signed-off-by: Dan Scott <dscott at laurentian.ca>
-
-70 211 ChangeLog
-
-commit 2df1d44645c07dd4a54d2d1392f76a3f8bdfbe90
-Author: Dan Scott <dscott at laurentian.ca>
-Date: Thu Nov 1 23:33:20 2012 -0400
-
- Bumping version numbers for 2.1.4
-
- Signed-off-by: Dan Scott <dscott at laurentian.ca>
-
-1 1 Open-ILS/src/perlmods/lib/OpenILS.pm
-1 1 Open-ILS/src/perlmods/lib/OpenILS/Application.pm
-1 0 Open-ILS/src/sql/Pg/002.schema.config.sql
-1 1 Open-ILS/xul/staff_client/chrome/content/main/about.html
-1 1 Open-ILS/xul/staff_client/defaults/preferences/prefs.js
-5 5 README
-2 2 configure.ac
+4 18 Open-ILS/src/c-apps/oils_sql.c
commit 778083fbf7082e1cafcd3f2c66f296cf34519e4d
Author: Galen Charlton <gmc at esilibrary.com>
Date: Wed Apr 17 14:37:59 2013 -0400
bump up version numbers for 2.1.6
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application.pm
index d362857..5d7cf6a 100644
--- a/Open-ILS/src/perlmods/lib/OpenILS/Application.pm
+++ b/Open-ILS/src/perlmods/lib/OpenILS/Application.pm
@@ -6,7 +6,7 @@ use base qw/OpenSRF::Application/;
sub ils_version {
# version format is "x-y-z", for example "2-0-0" for Evergreen 2.0.0
# For branches, format is "x-y"
- return "2-1-5";
+ return "2-1-6";
}
__PACKAGE__->register_method(
diff --git a/Open-ILS/src/sql/Pg/002.schema.config.sql b/Open-ILS/src/sql/Pg/002.schema.config.sql
index 8ed0f9b..286fbdd 100644
--- a/Open-ILS/src/sql/Pg/002.schema.config.sql
+++ b/Open-ILS/src/sql/Pg/002.schema.config.sql
@@ -58,7 +58,7 @@ CREATE TABLE config.upgrade_log (
);
INSERT INTO config.upgrade_log (version) VALUES ('0726'); -- denials
-INSERT INTO config.upgrade_log (version) VALUES ('2.1.5');
+INSERT INTO config.upgrade_log (version) VALUES ('2.1.6');
CREATE TABLE config.bib_source (
id SERIAL PRIMARY KEY,
diff --git a/README b/README
index 0e38f7c..71aab05 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
-README for Evergreen 2.1.5
+README for Evergreen 2.1.6
==========================
Preamble: referenced user accounts
@@ -38,8 +38,8 @@ the following commands as the *user* Linux account:
[source, bash]
------------------------------------------------------------------------------
-wget -c http://evergreen-ils.org/downloads/Evergreen-ILS-2.1.5.tar.gz
-tar xzf Evergreen-ILS-2.1.5.tar.gz
+wget -c http://evergreen-ils.org/downloads/Evergreen-ILS-2.1.6.tar.gz
+tar xzf Evergreen-ILS-2.1.6.tar.gz
------------------------------------------------------------------------------
Preamble: Developer instructions
@@ -172,7 +172,7 @@ Installation instructions
+
[source, bash]
------------------------------------------------------------------------------
-make STAFF_CLIENT_STAMP_ID=rel_2_1_5 install
+make STAFF_CLIENT_STAMP_ID=rel_2_1_6 install
------------------------------------------------------------------------------
+
2. The server portion of the staff client expects `http://hostname/xul/server`
diff --git a/RELEASE_NOTES.txt b/RELEASE_NOTES.txt
index 046aa2f..a78195e 100644
--- a/RELEASE_NOTES.txt
+++ b/RELEASE_NOTES.txt
@@ -1,6 +1,14 @@
Evergreen 2.1 release notes
===========================
+Upgrade notes for 2.1.6
+------------------------
+
+SQL injection fix
+~~~~~~~~~~~~~~~~~
+This release fixes a parameter quoting issue in the ORM that
+could allow arbitrary SQL to be executed.
+
Upgrade notes
-------------
diff --git a/configure.ac b/configure.ac
index e3e94d8..dc45f90 100644
--- a/configure.ac
+++ b/configure.ac
@@ -20,8 +20,8 @@
export PATH=${PATH}:/usr/sbin
AC_PREREQ(2.61)
-AC_INIT(Open-ILS, 2.1.5, open-ils-dev at list.georgialibraries.org)
-AM_INIT_AUTOMAKE([OpenILS], [2.1.5])
+AC_INIT(Open-ILS, 2.1.6, open-ils-dev at list.georgialibraries.org)
+AM_INIT_AUTOMAKE([OpenILS], [2.1.6])
AC_REVISION($Revision: 0.1 $)
AC_CONFIG_SRCDIR([configure.ac])
AC_PREFIX_DEFAULT([/openils/])
commit 8c00f551d54cf69ee401ba4961bba4bdfef4b7dc
Author: Dan Scott <dscott at laurentian.ca>
Date: Fri Apr 5 01:53:55 2013 -0400
Prevent compiler warning about unused numtype var
There was a dangling variable left around that was making noise in the
compiler. Credit to Jeff Godin for the heads-up.
Signed-off-by: Dan Scott <dscott at laurentian.ca>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
diff --git a/Open-ILS/src/c-apps/oils_sql.c b/Open-ILS/src/c-apps/oils_sql.c
index ef270e2..648bba0 100644
--- a/Open-ILS/src/c-apps/oils_sql.c
+++ b/Open-ILS/src/c-apps/oils_sql.c
@@ -2422,9 +2422,8 @@ int doRetrieve( osrfMethodContext* ctx ) {
*/
static char* jsonNumberToDBString( osrfHash* field, const jsonObject* value ) {
growing_buffer* val_buf = buffer_init( 32 );
- const char* numtype = get_datatype( field );
- // If the value is a number and the DB field is numeric, no quotes needed
+ // If the value is a number and the DB field is numeric, no quotes needed
if( value->type == JSON_NUMBER && !strcmp( get_primitive( field ), "number") ) {
buffer_fadd( val_buf, jsonObjectGetString( value ) );
} else {
commit 0aaec933cce3d53638cce0754825521478719095
Author: Mike Rylander <mrylander at gmail.com>
Date: Fri Apr 5 01:52:16 2013 -0400
Address SQL injection vulnerability in SQL ORM layer
If the user-supplied value and the db column are both numbers
(jsonObject->type == JSON_NUMBER, get_primitive(field) == "number") then
don't quote. Otherwise, quote.
Signed-off-by: Mike Rylander <mrylander at gmail.com>
Signed-off-by: Dan Scott <dscott at laurentian.ca>
Signed-off-by: Bill Erickson <berick at esilibrary.com>
Signed-off-by: Galen Charlton <gmc at esilibrary.com>
diff --git a/Open-ILS/src/c-apps/oils_sql.c b/Open-ILS/src/c-apps/oils_sql.c
index d611439..ef270e2 100644
--- a/Open-ILS/src/c-apps/oils_sql.c
+++ b/Open-ILS/src/c-apps/oils_sql.c
@@ -2414,8 +2414,7 @@ int doRetrieve( osrfMethodContext* ctx ) {
@return Pointer to a newly allocated string.
The input object is typically a JSON_NUMBER, but it may be a JSON_STRING as long as
- its contents are numeric. A non-numeric string is likely to result in invalid SQL,
- or (what is worse) valid SQL that is wrong.
+ its contents are numeric. A non-numeric string is likely to result in invalid SQL.
If the datatype of the receiving field is not numeric, wrap the value in quotes.
@@ -2425,22 +2424,9 @@ static char* jsonNumberToDBString( osrfHash* field, const jsonObject* value ) {
growing_buffer* val_buf = buffer_init( 32 );
const char* numtype = get_datatype( field );
- // For historical reasons the following contains cruft that could be cleaned up.
- if( !strncmp( numtype, "INT", 3 ) ) {
- if( value->type == JSON_NUMBER )
- //buffer_fadd( val_buf, "%ld", (long)jsonObjectGetNumber(value) );
- buffer_fadd( val_buf, jsonObjectGetString( value ) );
- else {
- buffer_fadd( val_buf, jsonObjectGetString( value ) );
- }
-
- } else if( !strcmp( numtype, "NUMERIC" )) {
- if( value->type == JSON_NUMBER )
- buffer_fadd( val_buf, jsonObjectGetString( value ));
- else {
- buffer_fadd( val_buf, jsonObjectGetString( value ));
- }
-
+ // If the value is a number and the DB field is numeric, no quotes needed
+ if( value->type == JSON_NUMBER && !strcmp( get_primitive( field ), "number") ) {
+ buffer_fadd( val_buf, jsonObjectGetString( value ) );
} else {
// Presumably this was really intended to be a string, so quote it
char* str = jsonObjectToSimpleString( value );
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 112 +++++-----------------
Open-ILS/src/c-apps/oils_sql.c | 23 +----
Open-ILS/src/perlmods/lib/OpenILS/Application.pm | 2 +-
Open-ILS/src/sql/Pg/002.schema.config.sql | 2 +-
README | 8 +-
RELEASE_NOTES.txt | 8 ++
configure.ac | 4 +-
7 files changed, 44 insertions(+), 115 deletions(-)
hooks/post-receive
--
Evergreen ILS
More information about the open-ils-commits
mailing list