When a JSON query refers to a column qualified by a table alias using

the plus-class trick (e.g. "+aou":"opac_visible"): verify that the
column belongs to the indicated class.  If it doesn't, return an error.

git-svn-id: svn://svn.open-ils.org/ILS/trunk@13786 dcc99617-32d9-48b4-a31d-7c20da2025e4

diff --git a/Open-ILS/src/c-apps/oils_cstore.c b/Open-ILS/src/c-apps/oils_cstore.c
index 2f6b4fc..f557f38 100644 (file)
--- a/Open-ILS/src/c-apps/oils_cstore.c
+++ b/Open-ILS/src/c-apps/oils_cstore.c
@@ -2627,8 +2627,22 @@ static char* searchWHERE ( const jsonObject* search_hash, const ClassInfo* class
                                }
 
                                if ( node->type == JSON_STRING ) {
-                                       // It's the name of a column
-                                       buffer_fadd(sql_buf, " \"%s\".%s ", alias_info->alias, jsonObjectGetString( node ) );
+                                       // It's the name of a column; make sure it belongs to the class
+                                       const char* fieldname = jsonObjectGetString( node );
+                                       if( ! osrfHashGet( alias_info->fields, fieldname ) ) {
+                                               osrfLogError(
+                                                       OSRF_LOG_MARK,
+                                                       "%s: Invalid column name \"%s\" in WHERE clause for table alias \"%s\"",
+                                                       MODULENAME,
+                                                       fieldname,
+                                                       alias_info->alias
+                                               );
+                                               jsonIteratorFree( search_itr );
+                                               buffer_free( sql_buf );
+                                               return NULL;
+                                       }
+
+                                       buffer_fadd(sql_buf, " \"%s\".%s ", alias_info->alias, fieldname );
                                } else {
                                        // It's something more complicated
                                        char* subpred = searchWHERE( node, alias_info, AND_OP_JOIN, ctx );
@@ -3355,7 +3369,6 @@ char* SELECT (
        if (from_function) table = searchValueTransform(join_hash);
        else table = strdup( curr_query->core.source_def );
 
-
        if( !table ) {
                if (ctx)
                        osrfAppSessionStatus(