Fossil SCM

Check that the date provided will actually come back out of the database before allowing it in. Also, allow altering a date that may be wrong.

andybradford 2015-07-31 07:22 UTC check-in-edit

Commit 44fda3228b18d6f6e080ab9875bd37c24bf49f68

Parent 161f4348cafddc1…

1 file changed +13 -3

~ src/info.c

M src/info.c

+13 -3

		--- src/info.c
		+++ src/info.c
		@@ -2391,10 +2391,18 @@
2391	2391	manifest_crosslink(nrid, ctrl, MC_PERMIT_HOOKS);
2392	2392	assert( blob_is_reset(ctrl) );
2393	2393	db_end_transaction(0);
2394	2394	}
2395	2395	}
	2396	+
	2397	+/*
	2398	+** This method checks that the date can be parsed.
	2399	+** Returns 1 if datetime() can validate, 0 otherwise.
	2400	+*/
	2401	+int is_datetime(const char* zDate){
	2402	+ return db_int(0, "SELECT datetime(%Q) NOT NULL", zDate);
	2403	+}
2396	2404
2397	2405	/*
2398	2406	** WEBPAGE: ci_edit
2399	2407	** URL: /ci_edit?r=RID&c=NEWCOMMENT&u=NEWUSER
2400	2408	**
		@@ -2817,14 +2825,12 @@
2817	2825	zUuid = db_text(0, "SELECT uuid FROM blob WHERE rid=%d", rid);
2818	2826	zComment = db_text(0, "SELECT coalesce(ecomment,comment)"
2819	2827	" FROM event WHERE objid=%d", rid);
2820	2828	zUser = db_text(0, "SELECT coalesce(euser,user)"
2821	2829	" FROM event WHERE objid=%d", rid);
2822		- if( zUser==0 \|\| zUser[0]==0 ) fossil_fatal("No user on rid %d", rid);
2823	2830	zDate = db_text(0, "SELECT datetime(mtime)"
2824	2831	" FROM event WHERE objid=%d", rid);
2825		- if( zDate==0 \|\| zDate[0]==0 ) fossil_fatal("No date on rid %d", rid);
2826	2832	zColor = db_text("", "SELECT bgcolor"
2827	2833	" FROM event WHERE objid=%d", rid);
2828	2834	fPropagateColor = db_int(0, "SELECT tagtype FROM tagxref"
2829	2835	" WHERE rid=%d AND tagid=%d",
2830	2836	rid, TAG_BGCOLOR)==2;
		@@ -2860,11 +2866,15 @@
2860	2866	zNewComment = blob_str(&comment);
2861	2867	}
2862	2868	if( zNewComment && zNewComment[0]
2863	2869	&& comment_compare(zComment,zNewComment)==0 ) add_comment(zNewComment);
2864	2870	if( zNewDate && zNewDate[0] && fossil_strcmp(zDate,zNewDate)!=0 ){
2865		- add_date(zNewDate);
	2871	+ if( is_datetime(zNewDate) ){
	2872	+ add_date(zNewDate);
	2873	+ }else{
	2874	+ fossil_fatal("Unsupported date format, use YYYY-MM-DD HH:MM:SS");
	2875	+ }
2866	2876	}
2867	2877	if( zNewUser && zNewUser[0] && fossil_strcmp(zUser,zNewUser)!=0 ){
2868	2878	add_user(zNewUser);
2869	2879	}
2870	2880	if( pzNewTags!=0 ){
2871	2881

	--- src/info.c
	+++ src/info.c
	@@ -2391,10 +2391,18 @@
2391	manifest_crosslink(nrid, ctrl, MC_PERMIT_HOOKS);
2392	assert( blob_is_reset(ctrl) );
2393	db_end_transaction(0);
2394	}
2395	}








2396
2397	/*
2398	** WEBPAGE: ci_edit
2399	** URL: /ci_edit?r=RID&c=NEWCOMMENT&u=NEWUSER
2400	**
	@@ -2817,14 +2825,12 @@
2817	zUuid = db_text(0, "SELECT uuid FROM blob WHERE rid=%d", rid);
2818	zComment = db_text(0, "SELECT coalesce(ecomment,comment)"
2819	" FROM event WHERE objid=%d", rid);
2820	zUser = db_text(0, "SELECT coalesce(euser,user)"
2821	" FROM event WHERE objid=%d", rid);
2822	if( zUser==0 \|\| zUser[0]==0 ) fossil_fatal("No user on rid %d", rid);
2823	zDate = db_text(0, "SELECT datetime(mtime)"
2824	" FROM event WHERE objid=%d", rid);
2825	if( zDate==0 \|\| zDate[0]==0 ) fossil_fatal("No date on rid %d", rid);
2826	zColor = db_text("", "SELECT bgcolor"
2827	" FROM event WHERE objid=%d", rid);
2828	fPropagateColor = db_int(0, "SELECT tagtype FROM tagxref"
2829	" WHERE rid=%d AND tagid=%d",
2830	rid, TAG_BGCOLOR)==2;
	@@ -2860,11 +2866,15 @@
2860	zNewComment = blob_str(&comment);
2861	}
2862	if( zNewComment && zNewComment[0]
2863	&& comment_compare(zComment,zNewComment)==0 ) add_comment(zNewComment);
2864	if( zNewDate && zNewDate[0] && fossil_strcmp(zDate,zNewDate)!=0 ){
2865	add_date(zNewDate);




2866	}
2867	if( zNewUser && zNewUser[0] && fossil_strcmp(zUser,zNewUser)!=0 ){
2868	add_user(zNewUser);
2869	}
2870	if( pzNewTags!=0 ){
2871

	--- src/info.c
	+++ src/info.c
	@@ -2391,10 +2391,18 @@
2391	manifest_crosslink(nrid, ctrl, MC_PERMIT_HOOKS);
2392	assert( blob_is_reset(ctrl) );
2393	db_end_transaction(0);
2394	}
2395	}
2396
2397	/*
2398	** This method checks that the date can be parsed.
2399	** Returns 1 if datetime() can validate, 0 otherwise.
2400	*/
2401	int is_datetime(const char* zDate){
2402	return db_int(0, "SELECT datetime(%Q) NOT NULL", zDate);
2403	}
2404
2405	/*
2406	** WEBPAGE: ci_edit
2407	** URL: /ci_edit?r=RID&c=NEWCOMMENT&u=NEWUSER
2408	**
	@@ -2817,14 +2825,12 @@
2825	zUuid = db_text(0, "SELECT uuid FROM blob WHERE rid=%d", rid);
2826	zComment = db_text(0, "SELECT coalesce(ecomment,comment)"
2827	" FROM event WHERE objid=%d", rid);
2828	zUser = db_text(0, "SELECT coalesce(euser,user)"
2829	" FROM event WHERE objid=%d", rid);

2830	zDate = db_text(0, "SELECT datetime(mtime)"
2831	" FROM event WHERE objid=%d", rid);

2832	zColor = db_text("", "SELECT bgcolor"
2833	" FROM event WHERE objid=%d", rid);
2834	fPropagateColor = db_int(0, "SELECT tagtype FROM tagxref"
2835	" WHERE rid=%d AND tagid=%d",
2836	rid, TAG_BGCOLOR)==2;
	@@ -2860,11 +2866,15 @@
2866	zNewComment = blob_str(&comment);
2867	}
2868	if( zNewComment && zNewComment[0]
2869	&& comment_compare(zComment,zNewComment)==0 ) add_comment(zNewComment);
2870	if( zNewDate && zNewDate[0] && fossil_strcmp(zDate,zNewDate)!=0 ){
2871	if( is_datetime(zNewDate) ){
2872	add_date(zNewDate);
2873	}else{
2874	fossil_fatal("Unsupported date format, use YYYY-MM-DD HH:MM:SS");
2875	}
2876	}
2877	if( zNewUser && zNewUser[0] && fossil_strcmp(zUser,zNewUser)!=0 ){
2878	add_user(zNewUser);
2879	}
2880	if( pzNewTags!=0 ){
2881

Fossil SCM

Keyboard Shortcuts