prepare for 3.3.1 release

properly escape class parameter
The class parameter was used as is, allowing for potential SQL injection via the API. Thanks to @bladeswords for finding this.
2020-05-02 22:41:27 +02:00 · 2020-05-02 22:17:35 +02:00
3 changed files with 8 additions and 3 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -20,7 +20,7 @@ project(nominatim)

 set(NOMINATIM_VERSION_MAJOR 3)
 set(NOMINATIM_VERSION_MINOR 3)
-set(NOMINATIM_VERSION_PATCH 0)
+set(NOMINATIM_VERSION_PATCH 1)

 set(NOMINATIM_VERSION "${NOMINATIM_VERSION_MAJOR}.${NOMINATIM_VERSION_MINOR}.${NOMINATIM_VERSION_PATCH}")

--- a/3
+++ b/3
@@ -1,3 +1,6 @@
+3.3.1
+ * security fix: fix possible SQL injection via details API
+
 3.3.0

 * zoom 17 in reverse now zooms in on minor streets
--- a/website/details.php
+++ b/website/details.php
@@ -32,12 +32,14 @@ $sLanguagePrefArraySQL = $oDB->getArraySQL($oDB->getDBQuotedList($aLangPrefOrder

 if ($sOsmType && $iOsmId > 0) {
    $sSQL = 'SELECT place_id FROM placex WHERE osm_type = :type AND osm_id = :id';
+    $aSQLParams = array(':type' => $sOsmType, ':id' => $iOsmId);
    // osm_type and osm_id are not unique enough
    if ($sClass) {
-        $sSQL .= " AND class='".$sClass."'";
+        $sSQL .= ' AND class= :class';
+        $aSQLParams[':class'] = $sClass;
    }
    $sSQL .= ' ORDER BY class ASC';
-    $sPlaceId = $oDB->getOne($sSQL, array(':type' => $sOsmType, ':id' => $iOsmId));
+    $sPlaceId = $oDB->getOne($sSQL, $aSQLParams);

    // Be nice about our error messages for broken geometry
Author	SHA1	Message	Date
Sarah Hoffmann	f0f4ded041	prepare for 3.3.1 release	2020-05-02 22:41:27 +02:00
Sarah Hoffmann	ae85ceca1e	properly escape class parameter The class parameter was used as is, allowing for potential SQL injection via the API. Thanks to @bladeswords for finding this.	2020-05-02 22:17:35 +02:00