prepare for 3.4.2 release

properly escape class parameter
The class parameter was used as is, allowing for potential SQL injection via the API. Thanks to @bladeswords for finding this.
2020-05-02 22:04:32 +02:00 · 2020-05-02 21:58:16 +02:00 · 2019-12-28 22:53:38 +01:00 · 2019-12-28 22:41:33 +01:00 · 2019-12-28 22:41:19 +01:00 · 2019-12-28 22:40:46 +01:00
8 changed files with 19 additions and 8 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -20,7 +20,7 @@ project(nominatim)

 set(NOMINATIM_VERSION_MAJOR 3)
 set(NOMINATIM_VERSION_MINOR 4)
-set(NOMINATIM_VERSION_PATCH 0)
+set(NOMINATIM_VERSION_PATCH 2)

 set(NOMINATIM_VERSION "${NOMINATIM_VERSION_MAJOR}.${NOMINATIM_VERSION_MINOR}.${NOMINATIM_VERSION_PATCH}")

--- a/9
+++ b/9
@@ -1,3 +1,12 @@
+3.4.2
+ * security fix: fix possible SQL injection via details API
+
+3.4.1
+ * update osm2pgsql
+    * move deletion to copy thread (fixes deadlock in updates)
+    * fix filtering where valid address objects got dropped
+ * fix typo in import styles
+
 3.4.0

 * increase required version for PostgreSQL(9.3), PostGIS(2.2) and PHP(7.0)
--- a/2
+++ b/2
--- a/settings/import-address.style
+++ b/settings/import-address.style
@@ -73,7 +73,7 @@
    }
 },
 {
-    "keys" : ["country_code", "ISO3166-1", "is_in:country_code", "is_in_country",
+    "keys" : ["country_code", "ISO3166-1", "is_in:country_code", "is_in:country",
              "addr:country", "addr:country", "addr:country_code"],
    "values" : {
        "" : "country"
--- a/settings/import-admin.style
+++ b/settings/import-admin.style
@@ -42,7 +42,7 @@
    }
 },
 {
-    "keys" : ["country_code", "ISO3166-1", "is_in:country_code", "is_in_country",
+    "keys" : ["country_code", "ISO3166-1", "is_in:country_code", "is_in:country",
              "addr:country", "addr:country", "addr:country_code"],
    "values" : {
        "" : "country"
--- a/settings/import-full.style
+++ b/settings/import-full.style
@@ -186,7 +186,7 @@
    }
 },
 {
-    "keys" : ["country_code", "ISO3166-1", "is_in:country_code", "is_in_country",
+    "keys" : ["country_code", "ISO3166-1", "is_in:country_code", "is_in:country",
              "addr:country", "addr:country", "addr:country_code"],
    "values" : {
        "" : "country"
--- a/settings/import-street.style
+++ b/settings/import-street.style
@@ -42,7 +42,7 @@
    }
 },
 {
-    "keys" : ["country_code", "ISO3166-1", "is_in:country_code", "is_in_country",
+    "keys" : ["country_code", "ISO3166-1", "is_in:country_code", "is_in:country",
              "addr:country", "addr:country", "addr:country_code"],
    "values" : {
        "" : "country"
--- a/website/details.php
+++ b/website/details.php
@@ -32,12 +32,14 @@ $sLanguagePrefArraySQL = $oDB->getArraySQL($oDB->getDBQuotedList($aLangPrefOrder

 if ($sOsmType && $iOsmId > 0) {
    $sSQL = 'SELECT place_id FROM placex WHERE osm_type = :type AND osm_id = :id';
+    $aSQLParams = array(':type' => $sOsmType, ':id' => $iOsmId);
    // osm_type and osm_id are not unique enough
    if ($sClass) {
-        $sSQL .= " AND class='".$sClass."'";
+        $sSQL .= ' AND class= :class';
+        $aSQLParams[':class'] = $sClass;
    }
    $sSQL .= ' ORDER BY class ASC';
-    $sPlaceId = $oDB->getOne($sSQL, array(':type' => $sOsmType, ':id' => $iOsmId));
+    $sPlaceId = $oDB->getOne($sSQL, $aSQLParams);

    // Be nice about our error messages for broken geometry
Author	SHA1	Message	Date
Sarah Hoffmann	282bd4a67e	prepare for 3.4.2 release	2020-05-02 22:04:32 +02:00
Sarah Hoffmann	51f6db2e9c	properly escape class parameter The class parameter was used as is, allowing for potential SQL injection via the API. Thanks to @bladeswords for finding this.	2020-05-02 21:58:16 +02:00
Sarah Hoffmann	e4ecbef61e	prepare for 3.4.1 release	2019-12-28 22:53:38 +01:00
Sarah Hoffmann	23dd49a5a2	update osm2pgsql (exclude country and postcode from address tags)	2019-12-28 22:41:33 +01:00
Francesc Hervada-Sala	0c85f88be8	typo - fixes openstreetmap#1606	2019-12-28 22:41:19 +01:00
Sarah Hoffmann	7829a05002	update osm2pgsql (deletion and address updates)	2019-12-28 22:40:46 +01:00