Bas Couwenberg pushed to branch upstream at Debian GIS Project / mapserver
Commits: 577b8c53 by Bas Couwenberg at 2024-06-12T05:20:49+02:00 New upstream version 8.2.0~beta3 - - - - - 5 changed files: - CMakeLists.txt - HISTORY.md - src/mapogroutput.cpp - src/mapregex.c - src/mapregex.h Changes: ===================================== CMakeLists.txt ===================================== @@ -18,7 +18,7 @@ include(CheckCSourceCompiles) set (MapServer_VERSION_MAJOR 8) set (MapServer_VERSION_MINOR 2) set (MapServer_VERSION_REVISION 0) -set (MapServer_VERSION_SUFFIX "-beta2") +set (MapServer_VERSION_SUFFIX "-beta3") # Set C++ version # Make CMAKE_CXX_STANDARD available as cache option overridable by user ===================================== HISTORY.md ===================================== @@ -13,6 +13,11 @@ https://mapserver.org/development/changelog/ The online Migration Guide can be found at https://mapserver.org/MIGRATION_GUIDE.html +8.2.0-beta3 release (2024-06-11) +-------------------------------- + +- security fix to prevent SQL injections through regex validation (#7075) + 8.2.0-beta2 release (2024-06-08) -------------------------------- @@ -115,6 +120,15 @@ RC2 was released as the final 8.0.0 (see major changes below) - upgrade Travis and GitHub CI to run on Ubuntu Focal (#6430) +7.6.5 release (2023-04-17) +-------------------------- + +- remove password content from logs (#6621) + +- increase security and stability (#6818) + +see detailed changelog for other fixes + 7.6.4 release (2021-07-12) -------------------------- ===================================== src/mapogroutput.cpp ===================================== @@ -768,7 +768,12 @@ int msOGRWriteFromQuery(mapObj *map, outputFormatObj *format, int sendheaders) } if (!EQUAL(storage, "stream")) { - msBuildPath(datasource_name, request_dir, fo_filename); + if (!msBuildPath(datasource_name, request_dir, fo_filename)) { + msFree(request_dir); + CSLDestroy(layer_options); + CSLDestroy(ds_options); + return MS_FAILURE; + } if (EQUAL(form, "zip")) { /* if generating a zip file, remove the zip extension for the internal */ @@ -779,7 +784,7 @@ int msOGRWriteFromQuery(mapObj *map, outputFormatObj *format, int sendheaders) /* and add .dat extension if user didn't provide another extension */ if (EQUAL(CPLGetExtension(datasource_name), "")) { - strcat(datasource_name, ".dat"); + strlcat(datasource_name, ".dat", sizeof(datasource_name)); } } ===================================== src/mapregex.c ===================================== @@ -57,7 +57,16 @@ MS_API_EXPORT(int) ms_regcomp(ms_regex_t *regex, const char *expr, int cflags) { /* Must free in regfree() */ regex_t *sys_regex = (regex_t *)msSmallMalloc(sizeof(regex_t)); regex->sys_regex = (void *)sys_regex; - int ret = regcomp(sys_regex, expr, cflags); + int reg_cflags = 0; + if (cflags & MS_REG_EXTENDED) + reg_cflags |= REG_EXTENDED; + if (cflags & MS_REG_ICASE) + reg_cflags |= REG_ICASE; + if (cflags & MS_REG_NOSUB) + reg_cflags |= REG_NOSUB; + if (cflags & MS_REG_NEWLINE) + reg_cflags |= REG_NEWLINE; + int ret = regcomp(sys_regex, expr, reg_cflags); if (ret != 0) { free(regex->sys_regex); regex->sys_regex = NULL; ===================================== src/mapregex.h ===================================== @@ -66,11 +66,10 @@ MS_API_EXPORT(void) ms_regfree(ms_regex_t *); #define MS_REG_BASIC 0000 #define MS_REG_EXTENDED 0001 #define MS_REG_ICASE 0002 +// WARNING: GNU regex has REG_NOSUB = (1 << 3) = 8 #define MS_REG_NOSUB 0004 +// WARNING: GNU regex has REG_NEWLINE = (1 << 2) = 4 #define MS_REG_NEWLINE 0010 -#define MS_REG_NOSPEC 0020 -#define MS_REG_PEND 0040 -#define MS_REG_DUMP 0200 /* === regerror.c === */ #define MS_REG_OKAY 0 View it on GitLab: https://salsa.debian.org/debian-gis-team/mapserver/-/commit/577b8c53d27be9c3b1f763a11665ee0bfb1187c6 -- This project does not include diff previews in email notifications. View it on GitLab: https://salsa.debian.org/debian-gis-team/mapserver/-/commit/577b8c53d27be9c3b1f763a11665ee0bfb1187c6 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ Pkg-grass-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-grass-devel
