[Git][debian-gis-team/mapserver][upstream] New upstream version 8.2.0~beta3

Wed Jun 12 04:37:58 BST 2024


Bas Couwenberg pushed to branch upstream at Debian GIS Project / mapserver


Commits:
577b8c53 by Bas Couwenberg at 2024-06-12T05:20:49+02:00
New upstream version 8.2.0~beta3
- - - - -


5 changed files:

- CMakeLists.txt
- HISTORY.md
- src/mapogroutput.cpp
- src/mapregex.c
- src/mapregex.h


Changes:

=====================================
CMakeLists.txt
=====================================
@@ -18,7 +18,7 @@ include(CheckCSourceCompiles)
 set (MapServer_VERSION_MAJOR 8)
 set (MapServer_VERSION_MINOR 2)
 set (MapServer_VERSION_REVISION 0)
-set (MapServer_VERSION_SUFFIX "-beta2")
+set (MapServer_VERSION_SUFFIX "-beta3")
 
 # Set C++ version
 # Make CMAKE_CXX_STANDARD available as cache option overridable by user


=====================================
HISTORY.md
=====================================
@@ -13,6 +13,11 @@ https://mapserver.org/development/changelog/
 
 The online Migration Guide can be found at https://mapserver.org/MIGRATION_GUIDE.html
 
+8.2.0-beta3 release (2024-06-11)
+--------------------------------
+
+- security fix to prevent SQL injections through regex validation (#7075)
+
 8.2.0-beta2 release (2024-06-08)
 --------------------------------
 
@@ -115,6 +120,15 @@ RC2 was released as the final 8.0.0 (see major changes below)
 
 - upgrade Travis and GitHub CI to run on Ubuntu Focal (#6430)
 
+7.6.5 release (2023-04-17)
+--------------------------
+
+- remove password content from logs (#6621)
+
+- increase security and stability (#6818)
+
+see detailed changelog for other fixes
+
 7.6.4 release (2021-07-12)
 --------------------------
 


=====================================
src/mapogroutput.cpp
=====================================
@@ -768,7 +768,12 @@ int msOGRWriteFromQuery(mapObj *map, outputFormatObj *format, int sendheaders)
   }
 
   if (!EQUAL(storage, "stream")) {
-    msBuildPath(datasource_name, request_dir, fo_filename);
+    if (!msBuildPath(datasource_name, request_dir, fo_filename)) {
+      msFree(request_dir);
+      CSLDestroy(layer_options);
+      CSLDestroy(ds_options);
+      return MS_FAILURE;
+    }
 
     if (EQUAL(form, "zip")) {
       /* if generating a zip file, remove the zip extension for the internal */
@@ -779,7 +784,7 @@ int msOGRWriteFromQuery(mapObj *map, outputFormatObj *format, int sendheaders)
 
       /* and add .dat extension if user didn't provide another extension */
       if (EQUAL(CPLGetExtension(datasource_name), "")) {
-        strcat(datasource_name, ".dat");
+        strlcat(datasource_name, ".dat", sizeof(datasource_name));
       }
     }
 


=====================================
src/mapregex.c
=====================================
@@ -57,7 +57,16 @@ MS_API_EXPORT(int) ms_regcomp(ms_regex_t *regex, const char *expr, int cflags) {
   /* Must free in regfree() */
   regex_t *sys_regex = (regex_t *)msSmallMalloc(sizeof(regex_t));
   regex->sys_regex = (void *)sys_regex;
-  int ret = regcomp(sys_regex, expr, cflags);
+  int reg_cflags = 0;
+  if (cflags & MS_REG_EXTENDED)
+    reg_cflags |= REG_EXTENDED;
+  if (cflags & MS_REG_ICASE)
+    reg_cflags |= REG_ICASE;
+  if (cflags & MS_REG_NOSUB)
+    reg_cflags |= REG_NOSUB;
+  if (cflags & MS_REG_NEWLINE)
+    reg_cflags |= REG_NEWLINE;
+  int ret = regcomp(sys_regex, expr, reg_cflags);
   if (ret != 0) {
     free(regex->sys_regex);
     regex->sys_regex = NULL;


=====================================
src/mapregex.h
=====================================
@@ -66,11 +66,10 @@ MS_API_EXPORT(void) ms_regfree(ms_regex_t *);
 #define MS_REG_BASIC 0000
 #define MS_REG_EXTENDED 0001
 #define MS_REG_ICASE 0002
+// WARNING: GNU regex has REG_NOSUB = (1 << 3) = 8
 #define MS_REG_NOSUB 0004
+// WARNING: GNU regex has REG_NEWLINE = (1 << 2) = 4
 #define MS_REG_NEWLINE 0010
-#define MS_REG_NOSPEC 0020
-#define MS_REG_PEND 0040
-#define MS_REG_DUMP 0200
 
 /* === regerror.c === */
 #define MS_REG_OKAY 0



View it on GitLab: https://salsa.debian.org/debian-gis-team/mapserver/-/commit/577b8c53d27be9c3b1f763a11665ee0bfb1187c6

-- 
This project does not include diff previews in email notifications.
View it on GitLab: https://salsa.debian.org/debian-gis-team/mapserver/-/commit/577b8c53d27be9c3b1f763a11665ee0bfb1187c6
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-grass-devel/attachments/20240612/7cd0b488/attachment-0001.htm>
