Fossil SCM
merge SQL injection prevention patches into the eclipse-project branch
Commit
0fdb1f4f8f0231954a48ed834a18fa97f3f7b233
Parent
7ba6a72443fce15…
6 files changed
+3
-3
+1
-1
+1
-1
+2
-2
+1
-1
+2
-2
+3
-3
| --- src/add.c | ||
| +++ src/add.c | ||
| @@ -93,11 +93,11 @@ | ||
| 93 | 93 | int i; |
| 94 | 94 | const char *z; |
| 95 | 95 | blob_zero(&x); |
| 96 | 96 | for(i=0; (z = fossil_reserved_name(i))!=0; i++){ |
| 97 | 97 | if( i>0 ) blob_append(&x, ",", 1); |
| 98 | - blob_appendf(&x, "'%s'", z); | |
| 98 | + blob_appendf(&x, "'%q'", z); | |
| 99 | 99 | } |
| 100 | 100 | zAll = blob_str(&x); |
| 101 | 101 | } |
| 102 | 102 | return zAll; |
| 103 | 103 | } |
| @@ -507,11 +507,11 @@ | ||
| 507 | 507 | ** The original name of the file is zOrig. The new filename is zNew. |
| 508 | 508 | */ |
| 509 | 509 | static void mv_one_file(int vid, const char *zOrig, const char *zNew){ |
| 510 | 510 | fossil_print("RENAME %s %s\n", zOrig, zNew); |
| 511 | 511 | db_multi_exec( |
| 512 | - "UPDATE vfile SET pathname='%s' WHERE pathname='%s' AND vid=%d", | |
| 512 | + "UPDATE vfile SET pathname='%q' WHERE pathname='%q' AND vid=%d", | |
| 513 | 513 | zNew, zOrig, vid |
| 514 | 514 | ); |
| 515 | 515 | } |
| 516 | 516 | |
| 517 | 517 | /* |
| @@ -591,11 +591,11 @@ | ||
| 591 | 591 | zTail = file_tail(zPath); |
| 592 | 592 | }else{ |
| 593 | 593 | zTail = &zPath[nOrig+1]; |
| 594 | 594 | } |
| 595 | 595 | db_multi_exec( |
| 596 | - "INSERT INTO mv VALUES('%s','%s%s')", | |
| 596 | + "INSERT INTO mv VALUES('%q','%q%q')", | |
| 597 | 597 | zPath, blob_str(&dest), zTail |
| 598 | 598 | ); |
| 599 | 599 | } |
| 600 | 600 | db_finalize(&q); |
| 601 | 601 | } |
| 602 | 602 |
| --- src/add.c | |
| +++ src/add.c | |
| @@ -93,11 +93,11 @@ | |
| 93 | int i; |
| 94 | const char *z; |
| 95 | blob_zero(&x); |
| 96 | for(i=0; (z = fossil_reserved_name(i))!=0; i++){ |
| 97 | if( i>0 ) blob_append(&x, ",", 1); |
| 98 | blob_appendf(&x, "'%s'", z); |
| 99 | } |
| 100 | zAll = blob_str(&x); |
| 101 | } |
| 102 | return zAll; |
| 103 | } |
| @@ -507,11 +507,11 @@ | |
| 507 | ** The original name of the file is zOrig. The new filename is zNew. |
| 508 | */ |
| 509 | static void mv_one_file(int vid, const char *zOrig, const char *zNew){ |
| 510 | fossil_print("RENAME %s %s\n", zOrig, zNew); |
| 511 | db_multi_exec( |
| 512 | "UPDATE vfile SET pathname='%s' WHERE pathname='%s' AND vid=%d", |
| 513 | zNew, zOrig, vid |
| 514 | ); |
| 515 | } |
| 516 | |
| 517 | /* |
| @@ -591,11 +591,11 @@ | |
| 591 | zTail = file_tail(zPath); |
| 592 | }else{ |
| 593 | zTail = &zPath[nOrig+1]; |
| 594 | } |
| 595 | db_multi_exec( |
| 596 | "INSERT INTO mv VALUES('%s','%s%s')", |
| 597 | zPath, blob_str(&dest), zTail |
| 598 | ); |
| 599 | } |
| 600 | db_finalize(&q); |
| 601 | } |
| 602 |
| --- src/add.c | |
| +++ src/add.c | |
| @@ -93,11 +93,11 @@ | |
| 93 | int i; |
| 94 | const char *z; |
| 95 | blob_zero(&x); |
| 96 | for(i=0; (z = fossil_reserved_name(i))!=0; i++){ |
| 97 | if( i>0 ) blob_append(&x, ",", 1); |
| 98 | blob_appendf(&x, "'%q'", z); |
| 99 | } |
| 100 | zAll = blob_str(&x); |
| 101 | } |
| 102 | return zAll; |
| 103 | } |
| @@ -507,11 +507,11 @@ | |
| 507 | ** The original name of the file is zOrig. The new filename is zNew. |
| 508 | */ |
| 509 | static void mv_one_file(int vid, const char *zOrig, const char *zNew){ |
| 510 | fossil_print("RENAME %s %s\n", zOrig, zNew); |
| 511 | db_multi_exec( |
| 512 | "UPDATE vfile SET pathname='%q' WHERE pathname='%q' AND vid=%d", |
| 513 | zNew, zOrig, vid |
| 514 | ); |
| 515 | } |
| 516 | |
| 517 | /* |
| @@ -591,11 +591,11 @@ | |
| 591 | zTail = file_tail(zPath); |
| 592 | }else{ |
| 593 | zTail = &zPath[nOrig+1]; |
| 594 | } |
| 595 | db_multi_exec( |
| 596 | "INSERT INTO mv VALUES('%q','%q%q')", |
| 597 | zPath, blob_str(&dest), zTail |
| 598 | ); |
| 599 | } |
| 600 | db_finalize(&q); |
| 601 | } |
| 602 |
+1
-1
| --- src/branch.c | ||
| +++ src/branch.c | ||
| @@ -61,11 +61,11 @@ | ||
| 61 | 61 | fossil_panic("branch name cannot be empty"); |
| 62 | 62 | } |
| 63 | 63 | if( db_exists( |
| 64 | 64 | "SELECT 1 FROM tagxref" |
| 65 | 65 | " WHERE tagtype>0" |
| 66 | - " AND tagid=(SELECT tagid FROM tag WHERE tagname='sym-%s')", | |
| 66 | + " AND tagid=(SELECT tagid FROM tag WHERE tagname='sym-%q')", | |
| 67 | 67 | zBranch)!=0 ){ |
| 68 | 68 | fossil_fatal("branch \"%s\" already exists", zBranch); |
| 69 | 69 | } |
| 70 | 70 | |
| 71 | 71 | user_select(); |
| 72 | 72 |
| --- src/branch.c | |
| +++ src/branch.c | |
| @@ -61,11 +61,11 @@ | |
| 61 | fossil_panic("branch name cannot be empty"); |
| 62 | } |
| 63 | if( db_exists( |
| 64 | "SELECT 1 FROM tagxref" |
| 65 | " WHERE tagtype>0" |
| 66 | " AND tagid=(SELECT tagid FROM tag WHERE tagname='sym-%s')", |
| 67 | zBranch)!=0 ){ |
| 68 | fossil_fatal("branch \"%s\" already exists", zBranch); |
| 69 | } |
| 70 | |
| 71 | user_select(); |
| 72 |
| --- src/branch.c | |
| +++ src/branch.c | |
| @@ -61,11 +61,11 @@ | |
| 61 | fossil_panic("branch name cannot be empty"); |
| 62 | } |
| 63 | if( db_exists( |
| 64 | "SELECT 1 FROM tagxref" |
| 65 | " WHERE tagtype>0" |
| 66 | " AND tagid=(SELECT tagid FROM tag WHERE tagname='sym-%q')", |
| 67 | zBranch)!=0 ){ |
| 68 | fossil_fatal("branch \"%s\" already exists", zBranch); |
| 69 | } |
| 70 | |
| 71 | user_select(); |
| 72 |
+1
-1
| --- src/info.c | ||
| +++ src/info.c | ||
| @@ -230,11 +230,11 @@ | ||
| 230 | 230 | "SELECT tag.tagid, tagname, " |
| 231 | 231 | " (SELECT uuid FROM blob WHERE rid=tagxref.srcid AND rid!=%d)," |
| 232 | 232 | " value, datetime(tagxref.mtime,'localtime'), tagtype," |
| 233 | 233 | " (SELECT uuid FROM blob WHERE rid=tagxref.origid AND rid!=%d)" |
| 234 | 234 | " FROM tagxref JOIN tag ON tagxref.tagid=tag.tagid" |
| 235 | - " WHERE tagxref.rid=%d AND tagname NOT GLOB '%s'" | |
| 235 | + " WHERE tagxref.rid=%d AND tagname NOT GLOB '%q'" | |
| 236 | 236 | " ORDER BY tagname /*sort*/", rid, rid, rid, zNotGlob |
| 237 | 237 | ); |
| 238 | 238 | while( db_step(&q)==SQLITE_ROW ){ |
| 239 | 239 | const char *zTagname = db_column_text(&q, 1); |
| 240 | 240 | const char *zSrcUuid = db_column_text(&q, 2); |
| 241 | 241 |
| --- src/info.c | |
| +++ src/info.c | |
| @@ -230,11 +230,11 @@ | |
| 230 | "SELECT tag.tagid, tagname, " |
| 231 | " (SELECT uuid FROM blob WHERE rid=tagxref.srcid AND rid!=%d)," |
| 232 | " value, datetime(tagxref.mtime,'localtime'), tagtype," |
| 233 | " (SELECT uuid FROM blob WHERE rid=tagxref.origid AND rid!=%d)" |
| 234 | " FROM tagxref JOIN tag ON tagxref.tagid=tag.tagid" |
| 235 | " WHERE tagxref.rid=%d AND tagname NOT GLOB '%s'" |
| 236 | " ORDER BY tagname /*sort*/", rid, rid, rid, zNotGlob |
| 237 | ); |
| 238 | while( db_step(&q)==SQLITE_ROW ){ |
| 239 | const char *zTagname = db_column_text(&q, 1); |
| 240 | const char *zSrcUuid = db_column_text(&q, 2); |
| 241 |
| --- src/info.c | |
| +++ src/info.c | |
| @@ -230,11 +230,11 @@ | |
| 230 | "SELECT tag.tagid, tagname, " |
| 231 | " (SELECT uuid FROM blob WHERE rid=tagxref.srcid AND rid!=%d)," |
| 232 | " value, datetime(tagxref.mtime,'localtime'), tagtype," |
| 233 | " (SELECT uuid FROM blob WHERE rid=tagxref.origid AND rid!=%d)" |
| 234 | " FROM tagxref JOIN tag ON tagxref.tagid=tag.tagid" |
| 235 | " WHERE tagxref.rid=%d AND tagname NOT GLOB '%q'" |
| 236 | " ORDER BY tagname /*sort*/", rid, rid, rid, zNotGlob |
| 237 | ); |
| 238 | while( db_step(&q)==SQLITE_ROW ){ |
| 239 | const char *zTagname = db_column_text(&q, 1); |
| 240 | const char *zSrcUuid = db_column_text(&q, 2); |
| 241 |
+2
-2
| --- src/makemake.tcl | ||
| +++ src/makemake.tcl | ||
| @@ -454,16 +454,16 @@ | ||
| 454 | 454 | # chroot jail. |
| 455 | 455 | # |
| 456 | 456 | LIB = -static |
| 457 | 457 | LIB += -lmingwex -lz |
| 458 | 458 | |
| 459 | -# OpenSSL: Add the necessary libaries required, if enabled. | |
| 459 | +# OpenSSL: Add the necessary libraries required, if enabled. | |
| 460 | 460 | ifdef FOSSIL_ENABLE_SSL |
| 461 | 461 | LIB += -lssl -lcrypto -lgdi32 |
| 462 | 462 | endif |
| 463 | 463 | |
| 464 | -# Tcl: Add the necessary libaries required, if enabled. | |
| 464 | +# Tcl: Add the necessary libraries required, if enabled. | |
| 465 | 465 | ifdef FOSSIL_ENABLE_TCL |
| 466 | 466 | LIB += $(LIBTCL) |
| 467 | 467 | endif |
| 468 | 468 | |
| 469 | 469 | #### These libraries MUST appear in the same order as they do for Tcl |
| 470 | 470 |
| --- src/makemake.tcl | |
| +++ src/makemake.tcl | |
| @@ -454,16 +454,16 @@ | |
| 454 | # chroot jail. |
| 455 | # |
| 456 | LIB = -static |
| 457 | LIB += -lmingwex -lz |
| 458 | |
| 459 | # OpenSSL: Add the necessary libaries required, if enabled. |
| 460 | ifdef FOSSIL_ENABLE_SSL |
| 461 | LIB += -lssl -lcrypto -lgdi32 |
| 462 | endif |
| 463 | |
| 464 | # Tcl: Add the necessary libaries required, if enabled. |
| 465 | ifdef FOSSIL_ENABLE_TCL |
| 466 | LIB += $(LIBTCL) |
| 467 | endif |
| 468 | |
| 469 | #### These libraries MUST appear in the same order as they do for Tcl |
| 470 |
| --- src/makemake.tcl | |
| +++ src/makemake.tcl | |
| @@ -454,16 +454,16 @@ | |
| 454 | # chroot jail. |
| 455 | # |
| 456 | LIB = -static |
| 457 | LIB += -lmingwex -lz |
| 458 | |
| 459 | # OpenSSL: Add the necessary libraries required, if enabled. |
| 460 | ifdef FOSSIL_ENABLE_SSL |
| 461 | LIB += -lssl -lcrypto -lgdi32 |
| 462 | endif |
| 463 | |
| 464 | # Tcl: Add the necessary libraries required, if enabled. |
| 465 | ifdef FOSSIL_ENABLE_TCL |
| 466 | LIB += $(LIBTCL) |
| 467 | endif |
| 468 | |
| 469 | #### These libraries MUST appear in the same order as they do for Tcl |
| 470 |
+1
-1
| --- src/tkt.c | ||
| +++ src/tkt.c | ||
| @@ -466,11 +466,11 @@ | ||
| 466 | 466 | } |
| 467 | 467 | } |
| 468 | 468 | } |
| 469 | 469 | if( *(char**)pUuid ){ |
| 470 | 470 | zUuid = db_text(0, |
| 471 | - "SELECT tkt_uuid FROM ticket WHERE tkt_uuid GLOB '%s*'", P("name") | |
| 471 | + "SELECT tkt_uuid FROM ticket WHERE tkt_uuid GLOB '%q*'", P("name") | |
| 472 | 472 | ); |
| 473 | 473 | }else{ |
| 474 | 474 | zUuid = db_text(0, "SELECT lower(hex(randomblob(20)))"); |
| 475 | 475 | } |
| 476 | 476 | *(const char**)pUuid = zUuid; |
| 477 | 477 |
| --- src/tkt.c | |
| +++ src/tkt.c | |
| @@ -466,11 +466,11 @@ | |
| 466 | } |
| 467 | } |
| 468 | } |
| 469 | if( *(char**)pUuid ){ |
| 470 | zUuid = db_text(0, |
| 471 | "SELECT tkt_uuid FROM ticket WHERE tkt_uuid GLOB '%s*'", P("name") |
| 472 | ); |
| 473 | }else{ |
| 474 | zUuid = db_text(0, "SELECT lower(hex(randomblob(20)))"); |
| 475 | } |
| 476 | *(const char**)pUuid = zUuid; |
| 477 |
| --- src/tkt.c | |
| +++ src/tkt.c | |
| @@ -466,11 +466,11 @@ | |
| 466 | } |
| 467 | } |
| 468 | } |
| 469 | if( *(char**)pUuid ){ |
| 470 | zUuid = db_text(0, |
| 471 | "SELECT tkt_uuid FROM ticket WHERE tkt_uuid GLOB '%q*'", P("name") |
| 472 | ); |
| 473 | }else{ |
| 474 | zUuid = db_text(0, "SELECT lower(hex(randomblob(20)))"); |
| 475 | } |
| 476 | *(const char**)pUuid = zUuid; |
| 477 |
+2
-2
| --- win/Makefile.mingw | ||
| +++ win/Makefile.mingw | ||
| @@ -133,16 +133,16 @@ | ||
| 133 | 133 | # chroot jail. |
| 134 | 134 | # |
| 135 | 135 | LIB = -static |
| 136 | 136 | LIB += -lmingwex -lz |
| 137 | 137 | |
| 138 | -# OpenSSL: Add the necessary libaries required, if enabled. | |
| 138 | +# OpenSSL: Add the necessary libraries required, if enabled. | |
| 139 | 139 | ifdef FOSSIL_ENABLE_SSL |
| 140 | 140 | LIB += -lssl -lcrypto -lgdi32 |
| 141 | 141 | endif |
| 142 | 142 | |
| 143 | -# Tcl: Add the necessary libaries required, if enabled. | |
| 143 | +# Tcl: Add the necessary libraries required, if enabled. | |
| 144 | 144 | ifdef FOSSIL_ENABLE_TCL |
| 145 | 145 | LIB += $(LIBTCL) |
| 146 | 146 | endif |
| 147 | 147 | |
| 148 | 148 | #### These libraries MUST appear in the same order as they do for Tcl |
| 149 | 149 |
| --- win/Makefile.mingw | |
| +++ win/Makefile.mingw | |
| @@ -133,16 +133,16 @@ | |
| 133 | # chroot jail. |
| 134 | # |
| 135 | LIB = -static |
| 136 | LIB += -lmingwex -lz |
| 137 | |
| 138 | # OpenSSL: Add the necessary libaries required, if enabled. |
| 139 | ifdef FOSSIL_ENABLE_SSL |
| 140 | LIB += -lssl -lcrypto -lgdi32 |
| 141 | endif |
| 142 | |
| 143 | # Tcl: Add the necessary libaries required, if enabled. |
| 144 | ifdef FOSSIL_ENABLE_TCL |
| 145 | LIB += $(LIBTCL) |
| 146 | endif |
| 147 | |
| 148 | #### These libraries MUST appear in the same order as they do for Tcl |
| 149 |
| --- win/Makefile.mingw | |
| +++ win/Makefile.mingw | |
| @@ -133,16 +133,16 @@ | |
| 133 | # chroot jail. |
| 134 | # |
| 135 | LIB = -static |
| 136 | LIB += -lmingwex -lz |
| 137 | |
| 138 | # OpenSSL: Add the necessary libraries required, if enabled. |
| 139 | ifdef FOSSIL_ENABLE_SSL |
| 140 | LIB += -lssl -lcrypto -lgdi32 |
| 141 | endif |
| 142 | |
| 143 | # Tcl: Add the necessary libraries required, if enabled. |
| 144 | ifdef FOSSIL_ENABLE_TCL |
| 145 | LIB += $(LIBTCL) |
| 146 | endif |
| 147 | |
| 148 | #### These libraries MUST appear in the same order as they do for Tcl |
| 149 |