[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn commit: r1091262 - /subversion/trunk/subversion/libsvn_wc/wc_db.c

From: Greg Stein <gstein_at_gmail.com>
Date: Mon, 11 Apr 2011 22:41:12 -0400

Woah. When did svn_sqlite__prepare arrive?

I'm basically -1 on that.

The whole idea behind static statements was to avoid SQL injection attacks.
Allowing the *code* to construct statements opens us up.

This is Not Good.
On Apr 11, 2011 8:31 PM, <hwright_at_apache.org> wrote:
> Author: hwright
> Date: Tue Apr 12 00:31:00 2011
> New Revision: 1091262
>
> URL: http://svn.apache.org/viewvc?rev=1091262&view=rev
> Log:
> * subversion/libsvn_wc/wc_db.c
> (set_changelist_txn): Special case the with-changelist case, to avoid some
> confusion by interleaving if-statements.
>
> Modified:
> subversion/trunk/subversion/libsvn_wc/wc_db.c
>
> Modified: subversion/trunk/subversion/libsvn_wc/wc_db.c
> URL:
http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_wc/wc_db.c?rev=1091262&r1=1091261&r2=1091262&view=diff
>
==============================================================================
> --- subversion/trunk/subversion/libsvn_wc/wc_db.c (original)
> +++ subversion/trunk/subversion/libsvn_wc/wc_db.c Tue Apr 12 00:31:00 2011
> @@ -3460,37 +3460,34 @@ set_changelist_txn(void *baton,
> svn_relpath_dirname(local_relpath,
> scratch_pool)));
> }
> - else
> + else if (scb->changelists && scb->changelists->nelts)
> {
> - const char *stmt_text = statements[STMT_UPDATE_ACTUAL_CHANGELIST];
> - const char *filter = construct_filter("changelist",
> - scb->changelists,
> - scratch_pool);
> -
> - if (*filter)
> - stmt_text = apr_pstrcat(scratch_pool, stmt_text, " AND ", filter,
> - NULL);
> + int i;
> + const char *stmt_text = apr_pstrcat(scratch_pool,
> + statements[STMT_UPDATE_ACTUAL_CHANGELIST],
> + " AND ",
> + construct_filter("changelist",
> + scb->changelists,
> + scratch_pool),
> + NULL);
>
> SVN_ERR(svn_sqlite__prepare(&stmt, wcroot->sdb, stmt_text,
> scratch_pool));
>
> - /* If we have a filter, it means we need to bind the changelist
> - params. */
> - if (*filter)
> + for (i = 0; i < scb->changelists->nelts; i++)
> {
> - int i;
> + const char *cl = APR_ARRAY_IDX(scb->changelists, i, const char *);
>
> - for (i = 0; i < scb->changelists->nelts; i++)
> - {
> - const char *cl = APR_ARRAY_IDX(scb->changelists, i,
> - const char *);
> -
> - /* The magic number '4' here is the number of existing params,
> - plus 1, in the statement, which will be bound below. */
> - SVN_ERR(svn_sqlite__bind_text(stmt, i+4, cl));
> - }
> + /* The magic number '4' here is the number of existing params,
> + plus 1, in the statement, which will be bound below. */
> + SVN_ERR(svn_sqlite__bind_text(stmt, i+4, cl));
> }
> }
> + else
> + {
> + SVN_ERR(svn_sqlite__get_statement(&stmt, wcroot->sdb,
> + STMT_UPDATE_ACTUAL_CHANGELIST));
> + }
>
> /* Run the update or insert query */
> SVN_ERR(svn_sqlite__bindf(stmt, "iss", wcroot->wc_id, local_relpath,
>
>
Received on 2011-04-12 04:41:50 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.