From c7c13b2fb698bb8fb36c8041e05f4711ef0dc4c1 Mon Sep 17 00:00:00 2001 From: Mike Rylander Date: Fri, 5 Apr 2013 01:52:16 -0400 Subject: [PATCH] Address SQL injection vulnerability in SQL ORM layer If the user-supplied value and the db column are both numbers (jsonObject->type == JSON_NUMBER, get_primitive(field) == "number") then don't quote. Otherwise, quote. Signed-off-by: Mike Rylander Signed-off-by: Dan Scott Signed-off-by: Mike Rylander --- Open-ILS/src/c-apps/oils_sql.c | 22 ++++------------------ 1 file changed, 4 insertions(+), 18 deletions(-) diff --git a/Open-ILS/src/c-apps/oils_sql.c b/Open-ILS/src/c-apps/oils_sql.c index c67362b8c0..ea614e153e 100644 --- a/Open-ILS/src/c-apps/oils_sql.c +++ b/Open-ILS/src/c-apps/oils_sql.c @@ -2460,8 +2460,7 @@ int doRetrieve( osrfMethodContext* ctx ) { @return Pointer to a newly allocated string. The input object is typically a JSON_NUMBER, but it may be a JSON_STRING as long as - its contents are numeric. A non-numeric string is likely to result in invalid SQL, - or (what is worse) valid SQL that is wrong. + its contents are numeric. A non-numeric string is likely to result in invalid SQL. If the datatype of the receiving field is not numeric, wrap the value in quotes. @@ -2471,22 +2470,9 @@ static char* jsonNumberToDBString( osrfHash* field, const jsonObject* value ) { growing_buffer* val_buf = buffer_init( 32 ); const char* numtype = get_datatype( field ); - // For historical reasons the following contains cruft that could be cleaned up. - if( !strncmp( numtype, "INT", 3 ) ) { - if( value->type == JSON_NUMBER ) - //buffer_fadd( val_buf, "%ld", (long)jsonObjectGetNumber(value) ); - buffer_fadd( val_buf, jsonObjectGetString( value ) ); - else { - buffer_fadd( val_buf, jsonObjectGetString( value ) ); - } - - } else if( !strcmp( numtype, "NUMERIC" )) { - if( value->type == JSON_NUMBER ) - buffer_fadd( val_buf, jsonObjectGetString( value )); - else { - buffer_fadd( val_buf, jsonObjectGetString( value )); - } - + // If the value is a number and the DB field is numeric, no quotes needed + if( value->type == JSON_NUMBER && !strcmp( get_primitive( field ), "number") ) { + buffer_fadd( val_buf, jsonObjectGetString( value ) ); } else { // Presumably this was really intended to be a string, so quote it char* str = jsonObjectToSimpleString( value ); -- 2.43.2