evergreen:tags/rel_2_1_6

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

a2d24cd... by Galen Charlton on 2013-04-17

commit ChangeLog for 2.1.6

Signed-off-by: Galen Charlton <email address hidden>

778083f... by Galen Charlton on 2013-04-17

bump up version numbers for 2.1.6

Signed-off-by: Galen Charlton <email address hidden>

8c00f55... by Dan Scott <email address hidden> on 2013-04-05

Prevent compiler warning about unused numtype var

There was a dangling variable left around that was making noise in the
compiler. Credit to Jeff Godin for the heads-up.

Signed-off-by: Dan Scott <email address hidden>
Signed-off-by: Bill Erickson <email address hidden>
Signed-off-by: Galen Charlton <email address hidden>

0aaec93... by Mike Rylander on 2013-04-05

Address SQL injection vulnerability in SQL ORM layer

If the user-supplied value and the db column are both numbers
(jsonObject->type == JSON_NUMBER, get_primitive(field) == "number") then
don't quote. Otherwise, quote.

Signed-off-by: Mike Rylander <email address hidden>
Signed-off-by: Dan Scott <email address hidden>
Signed-off-by: Bill Erickson <email address hidden>
Signed-off-by: Galen Charlton <email address hidden>

0253ee1... by Dan Scott <email address hidden> on 2013-01-16

Commit the 2.1.5 changelog

Signed-off-by: Dan Scott <email address hidden>

a3fadc2... by Dan Scott <email address hidden> on 2013-01-16

Bumping version numbers for 2.1.5

Also, add pertinent release notes entry.

Signed-off-by: Dan Scott <email address hidden>

50970f5... by Galen Charlton on 2013-01-15

LP#1098377: protect against even more cstore segfaults

Following up on the preceding patch, passing null
as the savepoint name to savepoint.release and
savepoint.rollback would also segfault cstore.

Signed-off-by: Galen Charlton <email address hidden>
Signed-off-by: Dan Scott <email address hidden>

04c38b5... by Bill Erickson on 2013-01-15

Verify savepoint name is non-null

Before we attempt to mangle the name, let's ensure that it's non-null.
Otherwise, segfaults ensue.

Signed-off-by: Bill Erickson <email address hidden>
Signed-off-by: Galen Charlton <email address hidden>

098a92a... by Dan Scott <email address hidden> on 2013-01-11

Protect against overly long savepoint names

Per http://postgresql.org/docs/9.1/static/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS,
the maximum identifier length works out to being 63 bytes (+1 for the
null terminator), so to avoid potential memory pressure by a 10GB string
somehow being passed in as the savepoint name, malloc no more than 64
bytes and copy no more than 63 bytes from the incoming name to the
escaped name.

Signed-off-by: Dan Scott <email address hidden>
Signed-off-by: Galen Charlton <email address hidden>

6ec9a53... by Galen Charlton on 2013-01-11

LP#1098377: sanitize savepoint names

When invoking open-ils.{cstore,pcrud,rstore}.savepoint.*, the
caller supplies a name for the savepoint. However, the savepoint
names could be constructed so that the caller could execute
arbitrary SQL. This patch sanitizes the name so that it contains
only alphanumeric and underscore characters.

Signed-off-by: Galen Charlton <email address hidden>
Signed-off-by: Dan Scott <email address hidden>

Conflicts:
 Open-ILS/src/c-apps/oils_sql.c