[ckan-changes] [ckan/ckan] 8f026f: [#1871] Add function to extract table names from S...

• Previous message: [ckan-changes] [ckan/ckan] a31444: [#1723] Do not show create fields in member edit
• Next message: [ckan-changes] [ckan/ckan] 68fe12: [#1792] Fix XSS and bug with numeric/quoted values...
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

  Branch: refs/heads/1871-datastore-sql-tables
  Home:   https://github.com/ckan/ckan
  Commit: 8f026f5a6043a6f0f161ea53844e2bcb565bb633
      https://github.com/ckan/ckan/commit/8f026f5a6043a6f0f161ea53844e2bcb565bb633
  Author: amercader <amercadero at gmail.com>
  Date:   2014-08-05 (Tue, 05 Aug 2014)

  Changed paths:
    M ckanext/datastore/helpers.py
    M ckanext/datastore/tests/test_helpers.py

  Log Message:
  -----------
  [#1871] Add function to extract table names from SQL statement

The function performs an EXPLAIN query with the provided statement and
parses its output looking for table names.

For Postgres >= 9.x it uses the FORMAT JSON option to get and parse a
JSON objects.

For older versions of Postgres the plain text option is used.


  Commit: d51a6e3b39d46e6a620d24309657100dc2f47cfd
      https://github.com/ckan/ckan/commit/d51a6e3b39d46e6a620d24309657100dc2f47cfd
  Author: amercader <amercadero at gmail.com>
  Date:   2014-08-05 (Tue, 05 Aug 2014)

  Changed paths:
    M ckanext/datastore/db.py
    M ckanext/datastore/tests/test_search.py

  Log Message:
  -----------
  [#1871] Disallow DataStore SQL queries involving system tables

Using the `get_table_names_from_sql` helper function before running the
provided statement, we raise a Validation error if some of the tables start
with `pg_`.


  Commit: b042e6177a34c8c1f96dadfec9c5c63a071051e2
      https://github.com/ckan/ckan/commit/b042e6177a34c8c1f96dadfec9c5c63a071051e2
  Author: amercader <amercadero at gmail.com>
  Date:   2014-08-05 (Tue, 05 Aug 2014)

  Changed paths:
    M ckanext/datastore/db.py

  Log Message:
  -----------
  [#1871] Remove EXPLAIN bits from error messages

As we are running the EXPLAIN command to look for table names before the
actual command, if there is a syntax error, table does not exist, etc,
the error messages will include the EXPLAIN statement, not the one provided.

We remove the EXPLAIN bit from the statement before raising the
exception to avoid confusion.


Compare: https://github.com/ckan/ckan/compare/8f026f5a6043^...b042e6177a34

• Previous message: [ckan-changes] [ckan/ckan] a31444: [#1723] Do not show create fields in member edit
• Next message: [ckan-changes] [ckan/ckan] 68fe12: [#1792] Fix XSS and bug with numeric/quoted values...
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]