From 4cfa03d9cfa4742120b41f194fe5896597057783 Mon Sep 17 00:00:00 2001 From: dbs Date: Fri, 18 Jun 2010 04:46:20 +0000 Subject: [PATCH] Backport security fix r16747 from trunk 1. Disable fleshing for PCRUD. Otherwise fleshing would provide a back door whereby a user could see stuff he has no permission to see. 2. For the id_list method: strip out the "flesh_fields" entry, not the "flesh_columns" entry (which doesn't exist). This actually makes no difference, but if we're going to do something useless, we might as well do it right. git-svn-id: svn://svn.open-ils.org/ILS/branches/rel_1_6@16748 dcc99617-32d9-48b4-a31d-7c20da2025e4 --- Open-ILS/src/c-apps/oils_cstore.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/Open-ILS/src/c-apps/oils_cstore.c b/Open-ILS/src/c-apps/oils_cstore.c index d78a7137ac..e3ddf759f3 100644 --- a/Open-ILS/src/c-apps/oils_cstore.c +++ b/Open-ILS/src/c-apps/oils_cstore.c @@ -94,6 +94,12 @@ static dbi_conn dbhandle; /* our CURRENT db connection */ static jsonObject* jsonNULL = NULL; // static int max_flesh_depth = 100; +#ifdef PCRUD +static int enforce_pcrud = 1; // Boolean +#else +static int enforce_pcrud = 0; // Boolean +#endif + /* called when this process is about to exit */ void osrfAppChildExit() { osrfLogDebug(OSRF_LOG_MARK, "Child is exiting, disconnecting from database..."); @@ -804,7 +810,7 @@ int dispatchCRUDMethod ( osrfMethodContext* ctx ) { jsonObjectRemoveKey( jsonObjectGetIndex( _p, 1 ), "select" ); jsonObjectRemoveKey( jsonObjectGetIndex( _p, 1 ), "no_i18n" ); jsonObjectRemoveKey( jsonObjectGetIndex( _p, 1 ), "flesh" ); - jsonObjectRemoveKey( jsonObjectGetIndex( _p, 1 ), "flesh_columns" ); + jsonObjectRemoveKey( jsonObjectGetIndex( _p, 1 ), "flesh_fields" ); } else { jsonObjectSetIndex( _p, 1, jsonNewObjectType(JSON_HASH) ); } @@ -4271,7 +4277,7 @@ static jsonObject* doFieldmapperSearch ( osrfMethodContext* ctx, osrfHash* meta, dbi_result_free(result); free(sql); - if (res_list->size && order_hash) { + if (res_list->size && order_hash && ! enforce_pcrud) { _tmp = jsonObjectGetKeyConst( order_hash, "flesh" ); if (_tmp) { int x = (int)jsonObjectGetNumber(_tmp); -- 2.11.0