[Pkg-ocaml-maint-commits] [SCM] mysql-ocaml packaging branch, master, updated. debian/1.0.4-6-4-gd68768b
Mehdi Dogguy
mehdi at debian.org
Sat Oct 31 22:39:55 UTC 2009
The following commit has been merged in the master branch:
commit d68768b43f629068b5c0d133081da23c9558f431
Author: Mehdi Dogguy <mehdi at debian.org>
Date: Sat Oct 31 23:25:52 2009 +0100
Add a binding to the function mysql_real_escape_string which prevents insufficient escaping (CVE-2009-2942).
diff --git a/debian/changelog b/debian/changelog
index b7c9f7f..901d309 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,8 @@ mysql-ocaml (1.0.4-7) unstable; urgency=low
* Bump standards version to 3.8.3
- Add a debian/README.source
* Add a doc-base file to index documentation files
+ * Add a binding to the function mysql_real_escape_string which prevents
+ insufficient escaping (CVE-2009-2942).
-- Mehdi Dogguy <mehdi at debian.org> Sat, 31 Oct 2009 22:28:40 +0100
diff --git a/debian/patches/0002-Add-mysql_real_escape_string-to-the-API.patch b/debian/patches/0002-Add-mysql_real_escape_string-to-the-API.patch
new file mode 100644
index 0000000..b26b1fd
--- /dev/null
+++ b/debian/patches/0002-Add-mysql_real_escape_string-to-the-API.patch
@@ -0,0 +1,124 @@
+From: Mehdi Dogguy <mehdi at debian.org>
+Date: Thu, 1 Oct 2009 22:34:22 +0200
+Subject: [PATCH] Add mysql_real_escape_string to the API
+
+---
+ mysql.ml | 18 ++++++++++++------
+ mysql.mli | 5 +++++
+ mysql_stubs.c | 27 +++++++++++++++++++++++++++
+ 3 files changed, 44 insertions(+), 6 deletions(-)
+
+diff --git a/mysql.ml b/mysql.ml
+index ae6b6ed..324380c 100644
+--- a/mysql.ml
++++ b/mysql.ml
+@@ -333,6 +333,7 @@ external exec : dbd -> string -> result = "db_exec"
+ external real_status : dbd -> int = "db_status"
+ external errmsg : dbd -> string option = "db_errmsg"
+ external escape : string -> string = "db_escape"
++external real_escape: dbd -> string -> string = "db_real_escape"
+ external fetch : result -> string option array option = "db_fetch"
+ external to_row : result -> int64 -> unit = "db_to_row"
+ external size : result -> int64 = "db_size"
+@@ -516,7 +517,9 @@ let column result =
+ the corresponding type *)
+
+ let ml2str str = "'" ^ escape str ^ "'"
++let ml2rstr conn str = "'" ^ real_escape conn str ^ "'"
+ let ml2blob = ml2str
++let ml2rblob = ml2rstr
+ let ml2int x = string_of_int x
+ let ml2decimal x = x
+ let ml322int x = Int32.to_string x
+@@ -524,12 +527,15 @@ let ml642int x = Int64.to_string x
+ let mlnative2int x = Nativeint.to_string x
+ let ml2float x = string_of_float x
+ let ml2enum x = escape x
+-let ml2set x = let rec loop arg = match arg with
+- | [] -> ""
+- | [x] -> escape x
+- | x::y::ys -> escape x ^ "," ^ loop (y::ys)
+- in
+- loop x
++let ml2renum x = real_escape x
++let ml2set_filter f x =
++ let rec loop f = function
++ | [] -> ""
++ | [x] -> f x
++ | x::y::ys -> f x ^ "," ^ loop f (y::ys)
++ in loop f x
++let ml2set x = ml2set_filter escape x
++let ml2rset conn x = ml2set_filter (real_escape conn) x
+
+ let ml2datetimel ~year ~month ~day ~hour ~min ~sec =
+ Printf.sprintf "'%04d-%02d-%02d %02d:%02d:%02d'"
+diff --git a/mysql.mli b/mysql.mli
+index 226bc05..2d01108 100644
+--- a/mysql.mli
++++ b/mysql.mli
+@@ -230,6 +230,7 @@ val fetch_field_dir : result -> int -> field option
+ (** [escape str] returns the same string as [str] in MySQL syntax with
+ special characters quoted to not confuse the MySQL parser *)
+ val escape : string -> string
++val real_escape : dbd -> string -> string
+
+ (** [xxx2ml str] decodes a MySQL value of type xxx into a corresponding
+ OCaml value *)
+@@ -277,14 +278,18 @@ val not_null : ('a -> 'b) -> 'a option -> 'b
+ (** [ml2xxx v] encodes [v] into MySQL syntax. *)
+
+ val ml2str : string -> string
++val ml2rstr : dbd -> string -> string
+ val ml2blob : string -> string
++val ml2rblob : dbd -> string -> string
+ val ml2int : int -> string
+ val ml2decimal : string -> string
+ val ml322int : int32 -> string
+ val ml642int : int64 -> string
+ val ml2float : float -> string
+ val ml2enum : string -> string
++val ml2renum : dbd -> string -> string
+ val ml2set : string list -> string
++val ml2rset : dbd -> string list -> string
+ val ml2datetime : int * int * int * int * int * int -> string
+ val ml2datetimel : year:int -> month:int -> day:int -> hour:int -> min:int -> sec:int -> string
+ val ml2date : int * int * int -> string
+diff --git a/mysql_stubs.c b/mysql_stubs.c
+index 836eb08..7269d07 100644
+--- a/mysql_stubs.c
++++ b/mysql_stubs.c
+@@ -472,6 +472,33 @@ db_escape(value str)
+ CAMLreturn(res);
+ }
+
++EXTERNAL value
++db_real_escape(value dbd, value str)
++{
++ CAMLparam2(dbd, str);
++ char *s;
++ char *buf;
++ int len, esclen;
++ MYSQL *mysql;
++ CAMLlocal1(res);
++
++ check_dbd(dbd, "escape");
++ mysql = DBDmysql(dbd);
++
++ s = String_val(str);
++ len = string_length(str);
++ buf = (char*) stat_alloc(2*len+1);
++ caml_enter_blocking_section();
++ esclen = mysql_real_escape_string(mysql,buf,s,len);
++ caml_leave_blocking_section();
++
++ res = alloc_string(esclen);
++ memcpy(String_val(res), buf, esclen);
++ stat_free(buf);
++
++ CAMLreturn(res);
++}
++
+ /*
+ * db_size -- returns the size of the current result (number of rows).
+ */
+--
diff --git a/debian/patches/series b/debian/patches/series
index 4bf9834..964f4b3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
0001-Fix-creation-of-insecure-temporary-files.patch
+0002-Add-mysql_real_escape_string-to-the-API.patch
--
mysql-ocaml packaging
More information about the Pkg-ocaml-maint-commits
mailing list