From: Mike Rylander Date: Fri, 5 Apr 2013 05:52:16 +0000 (-0400) Subject: Address SQL injection vulnerability in SQL ORM layer X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=29304fa2b5481c73c990ff0db8c9f22f4a9ccd28;p=evergreen%2Fequinox.git Address SQL injection vulnerability in SQL ORM layer If the user-supplied value and the db column are both numbers (jsonObject->type == JSON_NUMBER, get_primitive(field) == "number") then don't quote. Otherwise, quote. Signed-off-by: Mike Rylander Signed-off-by: Dan Scott Signed-off-by: Bill Erickson --- diff --git a/Open-ILS/src/c-apps/oils_sql.c b/Open-ILS/src/c-apps/oils_sql.c index fb19c721e0..0c9712d0c1 100644 --- a/Open-ILS/src/c-apps/oils_sql.c +++ b/Open-ILS/src/c-apps/oils_sql.c @@ -2460,8 +2460,7 @@ int doRetrieve( osrfMethodContext* ctx ) { @return Pointer to a newly allocated string. The input object is typically a JSON_NUMBER, but it may be a JSON_STRING as long as - its contents are numeric. A non-numeric string is likely to result in invalid SQL, - or (what is worse) valid SQL that is wrong. + its contents are numeric. A non-numeric string is likely to result in invalid SQL. If the datatype of the receiving field is not numeric, wrap the value in quotes. @@ -2471,22 +2470,9 @@ static char* jsonNumberToDBString( osrfHash* field, const jsonObject* value ) { growing_buffer* val_buf = buffer_init( 32 ); const char* numtype = get_datatype( field ); - // For historical reasons the following contains cruft that could be cleaned up. - if( !strncmp( numtype, "INT", 3 ) ) { - if( value->type == JSON_NUMBER ) - //buffer_fadd( val_buf, "%ld", (long)jsonObjectGetNumber(value) ); - buffer_fadd( val_buf, jsonObjectGetString( value ) ); - else { - buffer_fadd( val_buf, jsonObjectGetString( value ) ); - } - - } else if( !strcmp( numtype, "NUMERIC" )) { - if( value->type == JSON_NUMBER ) - buffer_fadd( val_buf, jsonObjectGetString( value )); - else { - buffer_fadd( val_buf, jsonObjectGetString( value )); - } - + // If the value is a number and the DB field is numeric, no quotes needed + if( value->type == JSON_NUMBER && !strcmp( get_primitive( field ), "number") ) { + buffer_fadd( val_buf, jsonObjectGetString( value ) ); } else { // Presumably this was really intended to be a string, so quote it char* str = jsonObjectToSimpleString( value );