Address SQL injection vulnerability in SQL ORM layer
If the user-supplied value and the db column are both numbers
(jsonObject->type == JSON_NUMBER, get_primitive(field) == "number") then
don't quote. Otherwise, quote.
Signed-off-by: Mike Rylander <email address hidden>
Signed-off-by: Dan Scott <email address hidden>
Signed-off-by: Bill Erickson <email address hidden>
Signed-off-by: Galen Charlton <email address hidden>
Per http://postgresql.org/docs/9.1/static/sql-syntax-lexical.html#SQL-SYNTAX-IDENTIFIERS,
the maximum identifier length works out to being 63 bytes (+1 for the
null terminator), so to avoid potential memory pressure by a 10GB string
somehow being passed in as the savepoint name, malloc no more than 64
bytes and copy no more than 63 bytes from the incoming name to the
escaped name.
Signed-off-by: Dan Scott <email address hidden>
Signed-off-by: Galen Charlton <email address hidden>
When invoking open-ils.{cstore,pcrud,rstore}.savepoint.*, the
caller supplies a name for the savepoint. However, the savepoint
names could be constructed so that the caller could execute
arbitrary SQL. This patch sanitizes the name so that it contains
only alphanumeric and underscore characters.
Signed-off-by: Galen Charlton <email address hidden>
Signed-off-by: Dan Scott <email address hidden>