[Python-checkins] cpython (3.5): Issue #24594: Validates persist parameter when opening MSI database
steve.dower
python-checkins at python.org
Fri Sep 9 15:10:04 EDT 2016
https://hg.python.org/cpython/rev/fa89e107f43d
changeset: 103439:fa89e107f43d
branch: 3.5
parent: 103435:99db6a25444b
user: Steve Dower <steve.dower at microsoft.com>
date: Fri Sep 09 11:56:34 2016 -0700
summary:
Issue #24594: Validates persist parameter when opening MSI database
files:
Misc/NEWS | 2 ++
PC/_msi.c | 20 +++++++++++++++++---
2 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -62,6 +62,8 @@
Library
-------
+- Issue #24594: Validates persist parameter when opening MSI database
+
- Issue #28047: Fixed calculation of line length used for the base64 CTE
in the new email policies.
diff --git a/PC/_msi.c b/PC/_msi.c
--- a/PC/_msi.c
+++ b/PC/_msi.c
@@ -955,6 +955,17 @@
0, /*tp_is_gc*/
};
+#define Py_NOT_PERSIST(x, flag) \
+ (x != (int)(flag) && \
+ x != ((int)(flag) | MSIDBOPEN_PATCHFILE))
+
+#define Py_INVALID_PERSIST(x) \
+ (Py_NOT_PERSIST(x, MSIDBOPEN_READONLY) && \
+ Py_NOT_PERSIST(x, MSIDBOPEN_TRANSACT) && \
+ Py_NOT_PERSIST(x, MSIDBOPEN_DIRECT) && \
+ Py_NOT_PERSIST(x, MSIDBOPEN_CREATE) && \
+ Py_NOT_PERSIST(x, MSIDBOPEN_CREATEDIRECT))
+
static PyObject* msiopendb(PyObject *obj, PyObject *args)
{
int status;
@@ -962,11 +973,14 @@
int persist;
MSIHANDLE h;
msiobj *result;
-
if (!PyArg_ParseTuple(args, "si:MSIOpenDatabase", &path, &persist))
return NULL;
-
- status = MsiOpenDatabase(path, (LPCSTR)persist, &h);
+ /* We need to validate that persist is a valid MSIDBOPEN_* value. Otherwise,
+ MsiOpenDatabase may treat the value as a pointer, leading to unexpected
+ behavior. */
+ if (Py_INVALID_PERSIST(persist))
+ return msierror(ERROR_INVALID_PARAMETER);
+ status = MsiOpenDatabase(path, (LPCSTR)persist, &h);
if (status != ERROR_SUCCESS)
return msierror(status);
--
Repository URL: https://hg.python.org/cpython
More information about the Python-checkins
mailing list