886b70f9730f717a4a77ab4e10808e1ba8693da7 galt Tue Jun 11 16:25:19 2013 -0700 not getting the desired behavior on stackdump diff --git src/hg/lib/jksql.c src/hg/lib/jksql.c index f652b45..7a714cd 100644 --- src/hg/lib/jksql.c +++ src/hg/lib/jksql.c @@ -2077,31 +2077,32 @@ if (!conn->inCache) errAbort("sqlConnCacheDealloc called on connection that is not associated with a cache"); assert(!conn->isFree); conn->isFree = TRUE; struct sqlConnCacheEntry *scce; for (scce = cache->entries; (scce != NULL) && (scce->conn != conn); scce = scce->next) continue; if (scce == NULL) errAbort("sqlConnCacheDealloc called on cache that doesn't contain " "the given connection"); scce->inUse = FALSE; *pConn = NULL; } } -// where am I using this? +// where am I using this? probably just cart.c and maybe cartDb.c ? +// but it is worth keeping just for the cart. void sqlDyAppendEscaped(struct dyString *dy, char *s) /* Append to dy an escaped s */ { dyStringBumpBufSize(dy, dy->stringSize + strlen(s)*2); int realSize = sqlEscapeString3(dy->string+dy->stringSize, s); dy->stringSize += realSize; } unsigned long sqlEscapeString3(char *to, const char* from) /* Prepares a string for inclusion in a sql statement. Output string * must be 2*strlen(from)+1. Returns actual escaped size not counting term 0. */ { return mysql_escape_string(to, from, strlen(from)); } @@ -2924,30 +2925,31 @@ { sqlCheckDisallowAllChars(allowed); sqlCheckAllowAlphaNumChars(allowed); init = TRUE; } if (!sqlCheckAllowedChars(word, allowed)) { sqlCheckError("Illegal character found in %s", word); } return word; } // TODO as much as I liked this function sqlCheckIdentifiersList, // it may not be used much, so see if you can remove it // and just add a little workaound for the remaining place(s) that use it. +// This one is probably here to stay. char *sqlCheckIdentifiersList(char *identifiers) /* Check that only valid identifier characters are used in a comma-separated list */ { static boolean init = FALSE; static char allowed[256]; if (!init) { sqlCheckDisallowAllChars(allowed); sqlCheckAllowAlphaNumChars(allowed); sqlCheckAllowChar('.', allowed); sqlCheckAllowChar('_', allowed); // sqlTableExists looks like a single table check, but apparently it has become abused // to support multiple tables e.g. sqlTableExists sqlCheckAllowChar(' ', allowed); sqlCheckAllowChar(',', allowed); @@ -3485,45 +3487,47 @@ va_end(args); return ds; } void sqlCheckError(char *format, ...) /* A sql injection error has occurred. Check for settings and respond * as appropriate with error, warning, logOnly, ignore, dumpstack. * Then abort if needed. NOTE: unless it aborts, this function will return! */ { va_list args; va_start(args, format); char *noSqlInjLevel = cfgOption("noSqlInj.level"); char *noSqlInjDumpStack = cfgOption("noSqlInj.dumpStack"); -char *browserDumpStack = cfgOption("browser.dumpStack"); - -char *scriptName = cgiScriptName(); +// I tried to incorporate this setting so as to avoid duplicate dumpStacks +// but it is not working that well, and I would rather have two than zero dumps. +//char *browserDumpStack = cfgOption("browser.dumpStack"); +//char *scriptName = cgiScriptName(); if (noSqlInjLevel) { // don't dump if if we are going to do it during errAbort anyway - if (sameOk(noSqlInjDumpStack, "on") - && (!(sameString(noSqlInjLevel, "abort") + if (sameOk(noSqlInjDumpStack, "on")) + /* && (!(sameString(noSqlInjLevel, "abort") && cgiIsOnWeb() && sameOk(browserDumpStack, "on")) || endsWith(scriptName, "hgSuggest") ) // note: this doesn't work for hgSuggest because it doesn't set the dumpStack handler. // TODO find or add a better method to tell if it would already dumpStack on abort. ) + */ { va_list dump_args; va_copy(dump_args, args); vaDumpStack(format, dump_args); va_end(dump_args); } if (sameString(noSqlInjLevel, "logOnly")) { vfprintf(stderr, format, args); } if (sameString(noSqlInjLevel, "warn")) { vaWarn(format, args);