prepare for 3.4.2 release

properly escape class parameter
The class parameter was used as is, allowing for potential SQL injection via the API. Thanks to @bladeswords for finding this.
2026-02-14 10:27:57 +00:00 · 2020-05-02 22:04:32 +02:00 · 2020-05-02 21:58:16 +02:00
3 changed files with 8 additions and 3 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -20,7 +20,7 @@ project(nominatim)

 set(NOMINATIM_VERSION_MAJOR 3)
 set(NOMINATIM_VERSION_MINOR 4)
-set(NOMINATIM_VERSION_PATCH 1)
+set(NOMINATIM_VERSION_PATCH 2)

 set(NOMINATIM_VERSION "${NOMINATIM_VERSION_MAJOR}.${NOMINATIM_VERSION_MINOR}.${NOMINATIM_VERSION_PATCH}")

--- a/3
+++ b/3
@@ -1,3 +1,6 @@
+3.4.2
+ * security fix: fix possible SQL injection via details API
+
 3.4.1
 * update osm2pgsql
    * move deletion to copy thread (fixes deadlock in updates)
--- a/website/details.php
+++ b/website/details.php
@@ -32,12 +32,14 @@ $sLanguagePrefArraySQL = $oDB->getArraySQL($oDB->getDBQuotedList($aLangPrefOrder

 if ($sOsmType && $iOsmId > 0) {
    $sSQL = 'SELECT place_id FROM placex WHERE osm_type = :type AND osm_id = :id';
+    $aSQLParams = array(':type' => $sOsmType, ':id' => $iOsmId);
    // osm_type and osm_id are not unique enough
    if ($sClass) {
-        $sSQL .= " AND class='".$sClass."'";
+        $sSQL .= ' AND class= :class';
+        $aSQLParams[':class'] = $sClass;
    }
    $sSQL .= ' ORDER BY class ASC';
-    $sPlaceId = $oDB->getOne($sSQL, array(':type' => $sOsmType, ':id' => $iOsmId));
+    $sPlaceId = $oDB->getOne($sSQL, $aSQLParams);

    // Be nice about our error messages for broken geometry
Author	SHA1	Message	Date
Sarah Hoffmann	282bd4a67e	prepare for 3.4.2 release	2020-05-02 22:04:32 +02:00
Sarah Hoffmann	51f6db2e9c	properly escape class parameter The class parameter was used as is, allowing for potential SQL injection via the API. Thanks to @bladeswords for finding this.	2020-05-02 21:58:16 +02:00