prepare for 3.2.1 release

The class parameter was used as is, allowing for potential
SQL injection via the API.

Thanks to @bladeswords for finding this.

CMakeLists.txt

@@ -20,7 +20,7 @@ project(nominatim)
 
 set(NOMINATIM_VERSION_MAJOR 3)
 set(NOMINATIM_VERSION_MINOR 2)
-set(NOMINATIM_VERSION_PATCH 0)
+set(NOMINATIM_VERSION_PATCH 1)
 
 set(NOMINATIM_VERSION "${NOMINATIM_VERSION_MAJOR}.${NOMINATIM_VERSION_MINOR}.${NOMINATIM_VERSION_PATCH}")
 

ChangeLog

@@ -1,3 +1,6 @@
+3.2.1
+ * security fix: fix possible SQL injection via details API
+
 3.2.0
 
  * complete rewrite of reverse search algorithm

website/details.php

@@ -37,7 +37,7 @@ if ($sOsmType && $iOsmId > 0) {
     );
     // osm_type and osm_id are not unique enough
     if ($sClass) {
-        $sSQL .= " AND class='".$sClass."'";
+        $sSQL .= " AND class='".pg_escape_string($sClass)."'";
     }
     $sSQL .= ' ORDER BY class ASC';
     $sPlaceId = chksql($oDB->getOne($sSQL));