Fossil SCM
Bug fix: Restore access to tables whose names start with "fx_" in ticket reports. Broken by check-in [5e7dc8a6f51818e6].
Commit
cfb6e5eae34a00d24caeff3b087696bdb33f91c9ddcb039ff6054284f6a8dda4
Parent
46d7ccd45e66a8b…
1 file changed
+13
-8
+13
-8
| --- src/report.c | ||
| +++ src/report.c | ||
| @@ -199,33 +199,38 @@ | ||
| 199 | 199 | "ticketchng", |
| 200 | 200 | "unversioned", |
| 201 | 201 | }; |
| 202 | 202 | int lwr = 0; |
| 203 | 203 | int upr = count(azAllowed) - 1; |
| 204 | - int rc = 0; | |
| 204 | + int cmp = 0; | |
| 205 | 205 | if( zArg1==0 ){ |
| 206 | 206 | /* Some legacy versions of SQLite will sometimes send spurious |
| 207 | 207 | ** READ authorizations that have no table name. These can be |
| 208 | 208 | ** ignored. */ |
| 209 | 209 | rc = SQLITE_IGNORE; |
| 210 | 210 | break; |
| 211 | 211 | } |
| 212 | - while( lwr<upr ){ | |
| 212 | + if( sqlite3_strnicmp(zArg1, "fx_", 3)==0 ){ | |
| 213 | + /* Ok to read any table whose name begins with "fx_" */ | |
| 214 | + rc = SQLITE_OK; | |
| 215 | + break; | |
| 216 | + } | |
| 217 | + while( lwr<=upr ){ | |
| 213 | 218 | int i = (lwr+upr)/2; |
| 214 | - int rc = fossil_stricmp(zArg1, azAllowed[i]); | |
| 215 | - if( rc<0 ){ | |
| 219 | + cmp = fossil_stricmp(zArg1, azAllowed[i]); | |
| 220 | + if( cmp<0 ){ | |
| 216 | 221 | upr = i - 1; |
| 217 | - }else if( rc>0 ){ | |
| 222 | + }else if( cmp>0 ){ | |
| 218 | 223 | lwr = i + 1; |
| 219 | 224 | }else{ |
| 220 | 225 | break; |
| 221 | 226 | } |
| 222 | 227 | } |
| 223 | - if( rc ){ | |
| 228 | + if( cmp ){ | |
| 224 | 229 | *(char**)pError = mprintf("access to table \"%s\" is restricted",zArg1); |
| 225 | 230 | rc = SQLITE_DENY; |
| 226 | - }else if( !g.perm.RdAddr && strncmp(zArg2, "private_", 8)==0 ){ | |
| 231 | + }else if( !g.perm.RdAddr && sqlite3_strnicmp(zArg2, "private_", 8)==0 ){ | |
| 227 | 232 | rc = SQLITE_IGNORE; |
| 228 | 233 | } |
| 229 | 234 | break; |
| 230 | 235 | } |
| 231 | 236 | default: { |
| @@ -1039,11 +1044,11 @@ | ||
| 1039 | 1044 | |
| 1040 | 1045 | db_multi_exec("PRAGMA empty_result_callbacks=ON"); |
| 1041 | 1046 | style_set_current_feature("report"); |
| 1042 | 1047 | /* |
| 1043 | 1048 | ** Lets use a funcy button for /reportlist since that page may be |
| 1044 | - ** heavily customized by the user. Some variants: ⊚ ⦾ ❊ ⊛ ⚛ ⸎ 💠 | |
| 1049 | + ** heavily customized by the user. Some variants: ⊚ ⦾ ❊ ⊛ ⚛ ⸎ ð’’ | |
| 1045 | 1050 | ** Enclosing it inside of square brackets makes its position |
| 1046 | 1051 | ** determenistic and clearly distincts regular submenu links from |
| 1047 | 1052 | ** those that are induced by the query string parameters. |
| 1048 | 1053 | */ |
| 1049 | 1054 | if( zQS[0] ){ |
| 1050 | 1055 |
| --- src/report.c | |
| +++ src/report.c | |
| @@ -199,33 +199,38 @@ | |
| 199 | "ticketchng", |
| 200 | "unversioned", |
| 201 | }; |
| 202 | int lwr = 0; |
| 203 | int upr = count(azAllowed) - 1; |
| 204 | int rc = 0; |
| 205 | if( zArg1==0 ){ |
| 206 | /* Some legacy versions of SQLite will sometimes send spurious |
| 207 | ** READ authorizations that have no table name. These can be |
| 208 | ** ignored. */ |
| 209 | rc = SQLITE_IGNORE; |
| 210 | break; |
| 211 | } |
| 212 | while( lwr<upr ){ |
| 213 | int i = (lwr+upr)/2; |
| 214 | int rc = fossil_stricmp(zArg1, azAllowed[i]); |
| 215 | if( rc<0 ){ |
| 216 | upr = i - 1; |
| 217 | }else if( rc>0 ){ |
| 218 | lwr = i + 1; |
| 219 | }else{ |
| 220 | break; |
| 221 | } |
| 222 | } |
| 223 | if( rc ){ |
| 224 | *(char**)pError = mprintf("access to table \"%s\" is restricted",zArg1); |
| 225 | rc = SQLITE_DENY; |
| 226 | }else if( !g.perm.RdAddr && strncmp(zArg2, "private_", 8)==0 ){ |
| 227 | rc = SQLITE_IGNORE; |
| 228 | } |
| 229 | break; |
| 230 | } |
| 231 | default: { |
| @@ -1039,11 +1044,11 @@ | |
| 1039 | |
| 1040 | db_multi_exec("PRAGMA empty_result_callbacks=ON"); |
| 1041 | style_set_current_feature("report"); |
| 1042 | /* |
| 1043 | ** Lets use a funcy button for /reportlist since that page may be |
| 1044 | ** heavily customized by the user. Some variants: ⊚ ⦾ ❊ ⊛ ⚛ ⸎ 💠 |
| 1045 | ** Enclosing it inside of square brackets makes its position |
| 1046 | ** determenistic and clearly distincts regular submenu links from |
| 1047 | ** those that are induced by the query string parameters. |
| 1048 | */ |
| 1049 | if( zQS[0] ){ |
| 1050 |
| --- src/report.c | |
| +++ src/report.c | |
| @@ -199,33 +199,38 @@ | |
| 199 | "ticketchng", |
| 200 | "unversioned", |
| 201 | }; |
| 202 | int lwr = 0; |
| 203 | int upr = count(azAllowed) - 1; |
| 204 | int cmp = 0; |
| 205 | if( zArg1==0 ){ |
| 206 | /* Some legacy versions of SQLite will sometimes send spurious |
| 207 | ** READ authorizations that have no table name. These can be |
| 208 | ** ignored. */ |
| 209 | rc = SQLITE_IGNORE; |
| 210 | break; |
| 211 | } |
| 212 | if( sqlite3_strnicmp(zArg1, "fx_", 3)==0 ){ |
| 213 | /* Ok to read any table whose name begins with "fx_" */ |
| 214 | rc = SQLITE_OK; |
| 215 | break; |
| 216 | } |
| 217 | while( lwr<=upr ){ |
| 218 | int i = (lwr+upr)/2; |
| 219 | cmp = fossil_stricmp(zArg1, azAllowed[i]); |
| 220 | if( cmp<0 ){ |
| 221 | upr = i - 1; |
| 222 | }else if( cmp>0 ){ |
| 223 | lwr = i + 1; |
| 224 | }else{ |
| 225 | break; |
| 226 | } |
| 227 | } |
| 228 | if( cmp ){ |
| 229 | *(char**)pError = mprintf("access to table \"%s\" is restricted",zArg1); |
| 230 | rc = SQLITE_DENY; |
| 231 | }else if( !g.perm.RdAddr && sqlite3_strnicmp(zArg2, "private_", 8)==0 ){ |
| 232 | rc = SQLITE_IGNORE; |
| 233 | } |
| 234 | break; |
| 235 | } |
| 236 | default: { |
| @@ -1039,11 +1044,11 @@ | |
| 1044 | |
| 1045 | db_multi_exec("PRAGMA empty_result_callbacks=ON"); |
| 1046 | style_set_current_feature("report"); |
| 1047 | /* |
| 1048 | ** Lets use a funcy button for /reportlist since that page may be |
| 1049 | ** heavily customized by the user. Some variants: ⊚ ⦾ ❊ ⊛ ⚛ ⸎ ð’’ |
| 1050 | ** Enclosing it inside of square brackets makes its position |
| 1051 | ** determenistic and clearly distincts regular submenu links from |
| 1052 | ** those that are induced by the query string parameters. |
| 1053 | */ |
| 1054 | if( zQS[0] ){ |
| 1055 |