From 5bf464a4129d557f2d07409592aac3ecab3dc1b3 Mon Sep 17 00:00:00 2001 From: scottmk Date: Fri, 31 Jul 2009 02:58:23 +0000 Subject: [PATCH] When a JSON query refers to a column qualified by a table alias using the plus-class trick (e.g. "+aou":"opac_visible"): verify that the column belongs to the indicated class. If it doesn't, return an error. git-svn-id: svn://svn.open-ils.org/ILS/trunk@13786 dcc99617-32d9-48b4-a31d-7c20da2025e4 --- Open-ILS/src/c-apps/oils_cstore.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/Open-ILS/src/c-apps/oils_cstore.c b/Open-ILS/src/c-apps/oils_cstore.c index 2f6b4fc20a..f557f38727 100644 --- a/Open-ILS/src/c-apps/oils_cstore.c +++ b/Open-ILS/src/c-apps/oils_cstore.c @@ -2627,8 +2627,22 @@ static char* searchWHERE ( const jsonObject* search_hash, const ClassInfo* class } if ( node->type == JSON_STRING ) { - // It's the name of a column - buffer_fadd(sql_buf, " \"%s\".%s ", alias_info->alias, jsonObjectGetString( node ) ); + // It's the name of a column; make sure it belongs to the class + const char* fieldname = jsonObjectGetString( node ); + if( ! osrfHashGet( alias_info->fields, fieldname ) ) { + osrfLogError( + OSRF_LOG_MARK, + "%s: Invalid column name \"%s\" in WHERE clause for table alias \"%s\"", + MODULENAME, + fieldname, + alias_info->alias + ); + jsonIteratorFree( search_itr ); + buffer_free( sql_buf ); + return NULL; + } + + buffer_fadd(sql_buf, " \"%s\".%s ", alias_info->alias, fieldname ); } else { // It's something more complicated char* subpred = searchWHERE( node, alias_info, AND_OP_JOIN, ctx ); @@ -3355,7 +3369,6 @@ char* SELECT ( if (from_function) table = searchValueTransform(join_hash); else table = strdup( curr_query->core.source_def ); - if( !table ) { if (ctx) osrfAppSessionStatus( -- 2.11.0