[open-ils-commits] [GIT] Evergreen ILS branch master updated. 4f1549c263dd94724f205d710158fc20d13da058

Evergreen Git git at git.evergreen-ils.org
Wed Apr 17 15:56:56 EDT 2013 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".

The branch, master has been updated
       via  4f1549c263dd94724f205d710158fc20d13da058 (commit)
       via  34c0a980a1a17b1d1649ede361533a9bcfc6e020 (commit)
      from  bfce3c12aac881209093dbf4ce30c084329e3a19 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 4f1549c263dd94724f205d710158fc20d13da058
Author: Dan Scott <dscott at laurentian.ca>
Date:   Fri Apr 5 01:53:55 2013 -0400

    Prevent compiler warning about unused numtype var
    
    There was a dangling variable left around that was making noise in the
    compiler. Credit to Jeff Godin for the heads-up.
    
    Signed-off-by: Dan Scott <dscott at laurentian.ca>
    Signed-off-by: Mike Rylander <mrylander at gmail.com>

diff --git a/Open-ILS/src/c-apps/oils_sql.c b/Open-ILS/src/c-apps/oils_sql.c
index ea614e1..eb3f48b 100644
--- a/Open-ILS/src/c-apps/oils_sql.c
+++ b/Open-ILS/src/c-apps/oils_sql.c
@@ -2468,9 +2468,8 @@ int doRetrieve( osrfMethodContext* ctx ) {
 */
 static char* jsonNumberToDBString( osrfHash* field, const jsonObject* value ) {
 	growing_buffer* val_buf = buffer_init( 32 );
-	const char* numtype = get_datatype( field );
 
-    // If the value is a number and the DB field is numeric, no quotes needed
+	// If the value is a number and the DB field is numeric, no quotes needed
 	if( value->type == JSON_NUMBER && !strcmp( get_primitive( field ), "number") ) {
 		buffer_fadd( val_buf, jsonObjectGetString( value ) );
 	} else {

commit 34c0a980a1a17b1d1649ede361533a9bcfc6e020
Author: Mike Rylander <mrylander at gmail.com>
Date:   Fri Apr 5 01:52:16 2013 -0400

    Address SQL injection vulnerability in SQL ORM layer
    
    If the user-supplied value and the db column are both numbers
    (jsonObject->type == JSON_NUMBER, get_primitive(field) == "number") then
    don't quote. Otherwise, quote.
    
    Signed-off-by: Mike Rylander <mrylander at gmail.com>
    Signed-off-by: Dan Scott <dscott at laurentian.ca>
    Signed-off-by: Mike Rylander <mrylander at gmail.com>

diff --git a/Open-ILS/src/c-apps/oils_sql.c b/Open-ILS/src/c-apps/oils_sql.c
index c67362b..ea614e1 100644
--- a/Open-ILS/src/c-apps/oils_sql.c
+++ b/Open-ILS/src/c-apps/oils_sql.c
@@ -2460,8 +2460,7 @@ int doRetrieve( osrfMethodContext* ctx ) {
 	@return Pointer to a newly allocated string.
 
 	The input object is typically a JSON_NUMBER, but it may be a JSON_STRING as long as
-	its contents are numeric.  A non-numeric string is likely to result in invalid SQL,
-	or (what is worse) valid SQL that is wrong.
+	its contents are numeric.  A non-numeric string is likely to result in invalid SQL.
 
 	If the datatype of the receiving field is not numeric, wrap the value in quotes.
 
@@ -2471,22 +2470,9 @@ static char* jsonNumberToDBString( osrfHash* field, const jsonObject* value ) {
 	growing_buffer* val_buf = buffer_init( 32 );
 	const char* numtype = get_datatype( field );
 
-	// For historical reasons the following contains cruft that could be cleaned up.
-	if( !strncmp( numtype, "INT", 3 ) ) {
-		if( value->type == JSON_NUMBER )
-			//buffer_fadd( val_buf, "%ld", (long)jsonObjectGetNumber(value) );
-			buffer_fadd( val_buf, jsonObjectGetString( value ) );
-		else {
-			buffer_fadd( val_buf, jsonObjectGetString( value ) );
-		}
-
-	} else if( !strcmp( numtype, "NUMERIC" )) {
-		if( value->type == JSON_NUMBER )
-			buffer_fadd( val_buf, jsonObjectGetString( value ));
-		else {
-			buffer_fadd( val_buf, jsonObjectGetString( value ));
-		}
-
+    // If the value is a number and the DB field is numeric, no quotes needed
+	if( value->type == JSON_NUMBER && !strcmp( get_primitive( field ), "number") ) {
+		buffer_fadd( val_buf, jsonObjectGetString( value ) );
 	} else {
 		// Presumably this was really intended to be a string, so quote it
 		char* str = jsonObjectToSimpleString( value );

-----------------------------------------------------------------------

Summary of changes:
 Open-ILS/src/c-apps/oils_sql.c |   23 ++++-------------------
 1 files changed, 4 insertions(+), 19 deletions(-)


hooks/post-receive
-- 
Evergreen ILS

More information about the open-ils-commits mailing list