From 563f37cda24c80e17a615d2987890b01aa397dd9 Mon Sep 17 00:00:00 2001 From: scottmk Date: Fri, 20 Mar 2009 18:55:48 +0000 Subject: [PATCH] In oils_cstore.c: further tightening input validation. 1. In searchValueTransform(): make sure that the JSON_ARRAY received as a parameter is not empty. 2. In searchFunctionPredicate(): make sure that the operator received as a parameter is acceptable, i.e. it isn't an opportunity for SQL injection. Also: changed a parameter name "node_key" to the more descriptive "op". git-svn-id: svn://svn.open-ils.org/ILS/trunk@12632 dcc99617-32d9-48b4-a31d-7c20da2025e4 --- Open-ILS/src/c-apps/oils_cstore.c | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/Open-ILS/src/c-apps/oils_cstore.c b/Open-ILS/src/c-apps/oils_cstore.c index 162f1c1df5..379c24ccb3 100644 --- a/Open-ILS/src/c-apps/oils_cstore.c +++ b/Open-ILS/src/c-apps/oils_cstore.c @@ -1749,16 +1749,18 @@ static char* searchINPredicate (const char* class, osrfHash* field, // Receive a JSON_ARRAY representing a function call. The first // entry in the array is the function name. The rest are parameters. static char* searchValueTransform( const jsonObject* array ) { + + if( array->size < 1 ) { + osrfLogError(OSRF_LOG_MARK, "%s: Empty array for value transform", MODULENAME); + return NULL; + } + growing_buffer* sql_buf = buffer_init(32); - jsonObject* func_item; - // Get the function name - if( array->size > 0 ) { - func_item = jsonObjectGetIndex( array, 0 ); - OSRF_BUFFER_ADD( sql_buf, jsonObjectGetString( func_item ) ); - OSRF_BUFFER_ADD( sql_buf, "( " ); - } + jsonObject* func_item = jsonObjectGetIndex( array, 0 ); + OSRF_BUFFER_ADD( sql_buf, jsonObjectGetString( func_item ) ); + OSRF_BUFFER_ADD( sql_buf, "( " ); // Get the parameters int func_item_index = 1; // We already grabbed the zeroth entry @@ -1791,8 +1793,13 @@ static char* searchValueTransform( const jsonObject* array ) { } static char* searchFunctionPredicate (const char* class, osrfHash* field, - const jsonObject* node, const char* node_key) { + const jsonObject* node, const char* op) { + if( ! is_good_operator( op ) ) { + osrfLogError( OSRF_LOG_MARK, "%s: Invalid operator [%s]", MODULENAME, op ); + return NULL; + } + char* val = searchValueTransform(node); if( !val ) return NULL; @@ -1803,7 +1810,7 @@ static char* searchFunctionPredicate (const char* class, osrfHash* field, "\"%s\".%s %s %s", class, osrfHashGet(field, "name"), - node_key, + op, val ); -- 2.11.0