[open-ils-commits] [GIT] Evergreen ILS branch rel_2_3 updated. 311e538e9ab59f92363c8d1fe28258f1005e1b00

Evergreen Git git at git.evergreen-ils.org
Wed Apr 17 15:46:26 EDT 2013 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".

The branch, rel_2_3 has been updated
       via  311e538e9ab59f92363c8d1fe28258f1005e1b00 (commit)
       via  b2b0c4603e493e38b79cadae347b756a4d5d90a0 (commit)
      from  432cab084e7dc92b10091e1a98925975bc7b360e (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 311e538e9ab59f92363c8d1fe28258f1005e1b00
Author: Dan Scott <dscott at laurentian.ca>
Date:   Fri Apr 5 01:53:55 2013 -0400

    Prevent compiler warning about unused numtype var
    
    There was a dangling variable left around that was making noise in the
    compiler. Credit to Jeff Godin for the heads-up.
    
    Signed-off-by: Dan Scott <dscott at laurentian.ca>
    Signed-off-by: Bill Erickson <berick at esilibrary.com>

diff --git a/Open-ILS/src/c-apps/oils_sql.c b/Open-ILS/src/c-apps/oils_sql.c
index 0c9712d..5e695e1 100644
--- a/Open-ILS/src/c-apps/oils_sql.c
+++ b/Open-ILS/src/c-apps/oils_sql.c
@@ -2468,9 +2468,8 @@ int doRetrieve( osrfMethodContext* ctx ) {
 */
 static char* jsonNumberToDBString( osrfHash* field, const jsonObject* value ) {
 	growing_buffer* val_buf = buffer_init( 32 );
-	const char* numtype = get_datatype( field );
 
-    // If the value is a number and the DB field is numeric, no quotes needed
+	// If the value is a number and the DB field is numeric, no quotes needed
 	if( value->type == JSON_NUMBER && !strcmp( get_primitive( field ), "number") ) {
 		buffer_fadd( val_buf, jsonObjectGetString( value ) );
 	} else {

commit b2b0c4603e493e38b79cadae347b756a4d5d90a0
Author: Mike Rylander <mrylander at gmail.com>
Date:   Fri Apr 5 01:52:16 2013 -0400

    Address SQL injection vulnerability in SQL ORM layer
    
    If the user-supplied value and the db column are both numbers
    (jsonObject->type == JSON_NUMBER, get_primitive(field) == "number") then
    don't quote. Otherwise, quote.
    
    Signed-off-by: Mike Rylander <mrylander at gmail.com>
    Signed-off-by: Dan Scott <dscott at laurentian.ca>
    Signed-off-by: Bill Erickson <berick at esilibrary.com>

diff --git a/Open-ILS/src/c-apps/oils_sql.c b/Open-ILS/src/c-apps/oils_sql.c
index fb19c72..0c9712d 100644
--- a/Open-ILS/src/c-apps/oils_sql.c
+++ b/Open-ILS/src/c-apps/oils_sql.c
@@ -2460,8 +2460,7 @@ int doRetrieve( osrfMethodContext* ctx ) {
 	@return Pointer to a newly allocated string.
 
 	The input object is typically a JSON_NUMBER, but it may be a JSON_STRING as long as
-	its contents are numeric.  A non-numeric string is likely to result in invalid SQL,
-	or (what is worse) valid SQL that is wrong.
+	its contents are numeric.  A non-numeric string is likely to result in invalid SQL.
 
 	If the datatype of the receiving field is not numeric, wrap the value in quotes.
 
@@ -2471,22 +2470,9 @@ static char* jsonNumberToDBString( osrfHash* field, const jsonObject* value ) {
 	growing_buffer* val_buf = buffer_init( 32 );
 	const char* numtype = get_datatype( field );
 
-	// For historical reasons the following contains cruft that could be cleaned up.
-	if( !strncmp( numtype, "INT", 3 ) ) {
-		if( value->type == JSON_NUMBER )
-			//buffer_fadd( val_buf, "%ld", (long)jsonObjectGetNumber(value) );
-			buffer_fadd( val_buf, jsonObjectGetString( value ) );
-		else {
-			buffer_fadd( val_buf, jsonObjectGetString( value ) );
-		}
-
-	} else if( !strcmp( numtype, "NUMERIC" )) {
-		if( value->type == JSON_NUMBER )
-			buffer_fadd( val_buf, jsonObjectGetString( value ));
-		else {
-			buffer_fadd( val_buf, jsonObjectGetString( value ));
-		}
-
+    // If the value is a number and the DB field is numeric, no quotes needed
+	if( value->type == JSON_NUMBER && !strcmp( get_primitive( field ), "number") ) {
+		buffer_fadd( val_buf, jsonObjectGetString( value ) );
 	} else {
 		// Presumably this was really intended to be a string, so quote it
 		char* str = jsonObjectToSimpleString( value );

-----------------------------------------------------------------------

Summary of changes:
 Open-ILS/src/c-apps/oils_sql.c |   23 ++++-------------------
 1 files changed, 4 insertions(+), 19 deletions(-)


hooks/post-receive
-- 
Evergreen ILS

More information about the open-ils-commits mailing list