[open-ils-commits] [GIT] Evergreen ILS branch rel_2_2 updated. 607028ba527b037cb85c89832678c530292ee174

Evergreen Git git at git.evergreen-ils.org
Wed Apr 17 16:17:35 EDT 2013 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Evergreen ILS".

The branch, rel_2_2 has been updated
       via  607028ba527b037cb85c89832678c530292ee174 (commit)
       via  c7c13b2fb698bb8fb36c8041e05f4711ef0dc4c1 (commit)
      from  fa462835c2c605fcc0fbe742a1ca1ba3bf18160d (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 607028ba527b037cb85c89832678c530292ee174
Author: Dan Scott <dscott at laurentian.ca>
Date:   Fri Apr 5 01:53:55 2013 -0400

    Prevent compiler warning about unused numtype var
    
    There was a dangling variable left around that was making noise in the
    compiler. Credit to Jeff Godin for the heads-up.
    
    Signed-off-by: Dan Scott <dscott at laurentian.ca>
    Signed-off-by: Mike Rylander <mrylander at gmail.com>

diff --git a/Open-ILS/src/c-apps/oils_sql.c b/Open-ILS/src/c-apps/oils_sql.c
index ea614e1..eb3f48b 100644
--- a/Open-ILS/src/c-apps/oils_sql.c
+++ b/Open-ILS/src/c-apps/oils_sql.c
@@ -2468,9 +2468,8 @@ int doRetrieve( osrfMethodContext* ctx ) {
 */
 static char* jsonNumberToDBString( osrfHash* field, const jsonObject* value ) {
 	growing_buffer* val_buf = buffer_init( 32 );
-	const char* numtype = get_datatype( field );
 
-    // If the value is a number and the DB field is numeric, no quotes needed
+	// If the value is a number and the DB field is numeric, no quotes needed
 	if( value->type == JSON_NUMBER && !strcmp( get_primitive( field ), "number") ) {
 		buffer_fadd( val_buf, jsonObjectGetString( value ) );
 	} else {

commit c7c13b2fb698bb8fb36c8041e05f4711ef0dc4c1
Author: Mike Rylander <mrylander at gmail.com>
Date:   Fri Apr 5 01:52:16 2013 -0400

    Address SQL injection vulnerability in SQL ORM layer
    
    If the user-supplied value and the db column are both numbers
    (jsonObject->type == JSON_NUMBER, get_primitive(field) == "number") then
    don't quote. Otherwise, quote.
    
    Signed-off-by: Mike Rylander <mrylander at gmail.com>
    Signed-off-by: Dan Scott <dscott at laurentian.ca>
    Signed-off-by: Mike Rylander <mrylander at gmail.com>

diff --git a/Open-ILS/src/c-apps/oils_sql.c b/Open-ILS/src/c-apps/oils_sql.c
index c67362b..ea614e1 100644
--- a/Open-ILS/src/c-apps/oils_sql.c
+++ b/Open-ILS/src/c-apps/oils_sql.c
@@ -2460,8 +2460,7 @@ int doRetrieve( osrfMethodContext* ctx ) {
 	@return Pointer to a newly allocated string.
 
 	The input object is typically a JSON_NUMBER, but it may be a JSON_STRING as long as
-	its contents are numeric.  A non-numeric string is likely to result in invalid SQL,
-	or (what is worse) valid SQL that is wrong.
+	its contents are numeric.  A non-numeric string is likely to result in invalid SQL.
 
 	If the datatype of the receiving field is not numeric, wrap the value in quotes.
 
@@ -2471,22 +2470,9 @@ static char* jsonNumberToDBString( osrfHash* field, const jsonObject* value ) {
 	growing_buffer* val_buf = buffer_init( 32 );
 	const char* numtype = get_datatype( field );
 
-	// For historical reasons the following contains cruft that could be cleaned up.
-	if( !strncmp( numtype, "INT", 3 ) ) {
-		if( value->type == JSON_NUMBER )
-			//buffer_fadd( val_buf, "%ld", (long)jsonObjectGetNumber(value) );
-			buffer_fadd( val_buf, jsonObjectGetString( value ) );
-		else {
-			buffer_fadd( val_buf, jsonObjectGetString( value ) );
-		}
-
-	} else if( !strcmp( numtype, "NUMERIC" )) {
-		if( value->type == JSON_NUMBER )
-			buffer_fadd( val_buf, jsonObjectGetString( value ));
-		else {
-			buffer_fadd( val_buf, jsonObjectGetString( value ));
-		}
-
+    // If the value is a number and the DB field is numeric, no quotes needed
+	if( value->type == JSON_NUMBER && !strcmp( get_primitive( field ), "number") ) {
+		buffer_fadd( val_buf, jsonObjectGetString( value ) );
 	} else {
 		// Presumably this was really intended to be a string, so quote it
 		char* str = jsonObjectToSimpleString( value );

-----------------------------------------------------------------------

Summary of changes:
 Open-ILS/src/c-apps/oils_sql.c |   23 ++++-------------------
 1 files changed, 4 insertions(+), 19 deletions(-)


hooks/post-receive
-- 
Evergreen ILS

More information about the open-ils-commits mailing list