diff options
| author | Christian Grothoff <christian@grothoff.org> | 2024-01-28 23:07:14 +0100 |
|---|---|---|
| committer | Christian Grothoff <christian@grothoff.org> | 2024-01-28 23:07:14 +0100 |
| commit | 914f6391fe7b61d441a8dcf284844bfd46f9abee (patch) | |
| tree | 39414b637b63ad939b56b1fb7294d5ef6fa71cf1 | |
| parent | 9d57484444e28a6c89906bb55afbbdffeb23948a (diff) | |
| download | merchant-914f6391fe7b61d441a8dcf284844bfd46f9abee.tar.gz merchant-914f6391fe7b61d441a8dcf284844bfd46f9abee.tar.bz2 merchant-914f6391fe7b61d441a8dcf284844bfd46f9abee.zip | |
fix escaping, fix memory leaks
| -rw-r--r-- | src/backend/taler-merchant-httpd_private-post-orders.c | 60 | ||||
| -rw-r--r-- | src/backend/taler-merchant-wirewatch.c | 1 | ||||
| -rw-r--r-- | src/backenddb/pg_insert_transfer.c | 4 | ||||
| -rw-r--r-- | src/backenddb/pg_lookup_transfers.c | 16 | ||||
| -rw-r--r-- | src/backenddb/pg_update_wirewatch_progress.c | 4 |
5 files changed, 45 insertions, 40 deletions
diff --git a/src/backend/taler-merchant-httpd_private-post-orders.c b/src/backend/taler-merchant-httpd_private-post-orders.c index 5986a521..52c146ef 100644 --- a/src/backend/taler-merchant-httpd_private-post-orders.c +++ b/src/backend/taler-merchant-httpd_private-post-orders.c @@ -265,7 +265,7 @@ struct OrderContext /** * Merchant base URL. */ - const char *merchant_base_url; + char *merchant_base_url; /** * Timestamp of the order. @@ -636,6 +636,7 @@ clean_order (void *cls) json_decref (oc->parse_request.order); /* TODO: Check that all other fields are cleaned up! */ json_decref (oc->serialize_order.contract); + GNUNET_free (oc->parse_order.merchant_base_url); GNUNET_free (oc); } @@ -1452,10 +1453,7 @@ parse_order (struct OrderContext *oc) { const struct TALER_MERCHANTDB_InstanceSettings *settings = &oc->hc->instance->settings; - - oc->parse_order.refund_deadline = GNUNET_TIME_UNIT_FOREVER_TS; - oc->parse_order.wire_deadline = GNUNET_TIME_UNIT_FOREVER_TS; - + const char *merchant_base_url = NULL; const json_t *jmerchant = NULL; /* auto_refund only needs to be type-checked, * mostly because in GNUnet relative times can't @@ -1496,7 +1494,7 @@ parse_order (struct OrderContext *oc) NULL), GNUNET_JSON_spec_mark_optional ( TALER_JSON_spec_web_url ("merchant_base_url", - &oc->parse_order.merchant_base_url), + &merchant_base_url), NULL), GNUNET_JSON_spec_mark_optional ( GNUNET_JSON_spec_object_const ("merchant", @@ -1542,6 +1540,8 @@ parse_order (struct OrderContext *oc) }; enum GNUNET_GenericReturnValue ret; + oc->parse_order.refund_deadline = GNUNET_TIME_UNIT_FOREVER_TS; + oc->parse_order.wire_deadline = GNUNET_TIME_UNIT_FOREVER_TS; ret = TALER_MHD_parse_json_data (oc->connection, oc->parse_request.order, spec); @@ -1770,7 +1770,23 @@ parse_order (struct OrderContext *oc) return; } - if (NULL == oc->parse_order.merchant_base_url) + if (NULL != merchant_base_url) + { + if (('\0' == *merchant_base_url) || + ('/' != merchant_base_url[strlen (merchant_base_url) - 1])) + { + GNUNET_break_op (0); + reply_with_error ( + oc, + MHD_HTTP_BAD_REQUEST, + TALER_EC_MERCHANT_PRIVATE_POST_ORDERS_PROPOSAL_PARSE_ERROR, + "merchant_base_url is not valid"); + return; + } + oc->parse_order.merchant_base_url + = GNUNET_strdup (merchant_base_url); + } + else { char *url; @@ -1786,27 +1802,11 @@ parse_order (struct OrderContext *oc) "order:merchant_base_url"); return; } - oc->parse_order.merchant_base_url = GNUNET_strdup (url); - GNUNET_free (url); - } - else if (('\0' == *oc->parse_order.merchant_base_url) || - ('/' != oc->parse_order.merchant_base_url[ - strlen (oc->parse_order.merchant_base_url) - 1])) - { - GNUNET_break_op (0); - reply_with_error ( - oc, - MHD_HTTP_BAD_REQUEST, - TALER_EC_MERCHANT_PRIVATE_POST_ORDERS_PROPOSAL_PARSE_ERROR, - "merchant_base_url is not valid"); - return; + oc->parse_order.merchant_base_url = url; } - if (NULL == oc->parse_order.products) - { - oc->parse_order.products = json_array (); - } - else if (! TMH_products_array_valid (oc->parse_order.products)) + if ( (NULL != oc->parse_order.products) && + (! TMH_products_array_valid (oc->parse_order.products)) ) { GNUNET_break_op (0); reply_with_error ( @@ -1939,8 +1939,12 @@ merge_inventory (struct OrderContext *oc) * parse_request.inventory_products => instructions to add products to contract terms * parse_order.products => contains products that are not from the backend-managed inventory. */ - oc->merge_inventory.products - = json_deep_copy (oc->parse_order.products); + if (NULL != oc->parse_order.products) + oc->merge_inventory.products + = json_deep_copy (oc->parse_order.products); + else + oc->merge_inventory.products + = json_array (); /* Populate products from inventory product array and database */ { GNUNET_assert (NULL != oc->merge_inventory.products); diff --git a/src/backend/taler-merchant-wirewatch.c b/src/backend/taler-merchant-wirewatch.c index 2f6094e4..075bdfa4 100644 --- a/src/backend/taler-merchant-wirewatch.c +++ b/src/backend/taler-merchant-wirewatch.c @@ -381,6 +381,7 @@ credit_cb ( { GNUNET_break (0); GNUNET_SCHEDULER_shutdown (); + w->hh = NULL; return GNUNET_SYSERR; } /* Success => reset back-off timer! */ diff --git a/src/backenddb/pg_insert_transfer.c b/src/backenddb/pg_insert_transfer.c index 6d07734b..45a4fa70 100644 --- a/src/backenddb/pg_insert_transfer.c +++ b/src/backenddb/pg_insert_transfer.c @@ -60,8 +60,8 @@ TMH_PG_insert_transfer ( "SELECT" " $1, $2, $3, account_serial, $5" " FROM merchant_accounts" - " WHERE REGEXP_REPLACE(payto_uri,'\?.*','')" - " =REGEXP_REPLACE($4,'\?.*','')" + " WHERE REGEXP_REPLACE(payto_uri,'\\?.*','')" + " =REGEXP_REPLACE($4,'\\?.*','')" " AND merchant_serial=" " (SELECT merchant_serial" " FROM merchant_instances" diff --git a/src/backenddb/pg_lookup_transfers.c b/src/backenddb/pg_lookup_transfers.c index 2e2a55b3..782bb43f 100644 --- a/src/backenddb/pg_lookup_transfers.c +++ b/src/backenddb/pg_lookup_transfers.c @@ -194,8 +194,8 @@ TMH_PG_lookup_transfers (void *cls, " WHERE execution_time < $2" " AND execution_time >= $3" " AND credit_serial > $4" - " AND REGEXP_REPLACE(payto_uri,'\?.*','')" - " =REGEXP_REPLACE($6,'\?.*','')" + " AND REGEXP_REPLACE(payto_uri,'\\?.*','')" + " =REGEXP_REPLACE($6,'\\?.*','')" " AND merchant_serial =" " (SELECT merchant_serial" " FROM merchant_instances" @@ -219,8 +219,8 @@ TMH_PG_lookup_transfers (void *cls, " WHERE execution_time < $2" " AND execution_time >= $3" " AND credit_serial < $4" - " AND REGEXP_REPLACE(payto_uri,'\?.*','')" - " =REGEXP_REPLACE($6,'\?.*','')" + " AND REGEXP_REPLACE(payto_uri,'\\?.*','')" + " =REGEXP_REPLACE($6,'\\?.*','')" " AND merchant_serial =" " (SELECT merchant_serial" " FROM merchant_instances" @@ -333,8 +333,8 @@ TMH_PG_lookup_transfers (void *cls, " JOIN merchant_accounts USING (account_serial)" " LEFT JOIN merchant_transfer_signatures USING (credit_serial)" " WHERE credit_serial > $2" - " AND REGEXP_REPLACE(payto_uri,'\?.*','')" - " =REGEXP_REPLACE($4,'\?.*','')" + " AND REGEXP_REPLACE(payto_uri,'\\?.*','')" + " =REGEXP_REPLACE($4,'\\?.*','')" " AND merchant_serial =" " (SELECT merchant_serial" " FROM merchant_instances" @@ -359,8 +359,8 @@ TMH_PG_lookup_transfers (void *cls, " JOIN merchant_accounts USING (account_serial)" " LEFT JOIN merchant_transfer_signatures USING (credit_serial)" " WHERE credit_serial < $2" - " AND REGEXP_REPLACE(payto_uri,'\?.*','')" - " =REGEXP_REPLACE($4,'\?.*','')" + " AND REGEXP_REPLACE(payto_uri,'\\?.*','')" + " =REGEXP_REPLACE($4,'\\?.*','')" " AND merchant_serial =" " (SELECT merchant_serial" " FROM merchant_instances" diff --git a/src/backenddb/pg_update_wirewatch_progress.c b/src/backenddb/pg_update_wirewatch_progress.c index 457c7d9d..629439e3 100644 --- a/src/backenddb/pg_update_wirewatch_progress.c +++ b/src/backenddb/pg_update_wirewatch_progress.c @@ -45,8 +45,8 @@ TMH_PG_update_wirewatch_progress ( "update_wirewatch_progress", "UPDATE merchant_accounts" " SET last_bank_serial=$3" - " WHERE REGEXP_REPLACE(payto_uri,'\?.*','')" - " =REGEXP_REPLACE($2,'\?.*','')" + " WHERE REGEXP_REPLACE(payto_uri,'\\?.*','')" + " =REGEXP_REPLACE(CAST ($2 AS TEXT),'\\?.*','')" " AND merchant_serial =" " (SELECT merchant_serial" " FROM merchant_instances" |