From c3bb9ec42ccc86d55055494bad31835a0fae00d2 Mon Sep 17 00:00:00 2001 From: Justin Clarke Casey Date: Fri, 24 Jul 2009 20:01:17 +0000 Subject: * Apply asset and inventory name and description bound checks to MySQL --- OpenSim/Data/MySQL/MySQLAssetData.cs | 18 ++++++++++++++++-- OpenSim/Data/MySQL/MySQLInventoryData.cs | 27 ++++++++++++++++++++++++--- 2 files changed, 40 insertions(+), 5 deletions(-) (limited to 'OpenSim/Data/MySQL') diff --git a/OpenSim/Data/MySQL/MySQLAssetData.cs b/OpenSim/Data/MySQL/MySQLAssetData.cs index c22f645..26cdd06 100644 --- a/OpenSim/Data/MySQL/MySQLAssetData.cs +++ b/OpenSim/Data/MySQL/MySQLAssetData.cs @@ -210,6 +210,20 @@ namespace OpenSim.Data.MySQL "VALUES(?id, ?name, ?description, ?assetType, ?local, ?temporary, ?create_time, ?access_time, ?data)", _dbConnection.Connection); + string assetName = asset.Name; + if (asset.Name.Length > 64) + { + assetName = asset.Name.Substring(0, 64); + m_log.Warn("[ASSET DB]: Name field truncated from " + asset.Name.Length + " to " + assetName.Length + " characters on add"); + } + + string assetDescription = asset.Description; + if (asset.Description.Length > 64) + { + assetDescription = asset.Description.Substring(0, 64); + m_log.Warn("[ASSET DB]: Description field truncated from " + asset.Description.Length + " to " + assetDescription.Length + " characters on add"); + } + // need to ensure we dispose try { @@ -218,8 +232,8 @@ namespace OpenSim.Data.MySQL // create unix epoch time int now = (int)((DateTime.Now.Ticks - TicksToEpoch) / 10000000); cmd.Parameters.AddWithValue("?id", asset.ID); - cmd.Parameters.AddWithValue("?name", asset.Name); - cmd.Parameters.AddWithValue("?description", asset.Description); + cmd.Parameters.AddWithValue("?name", assetName); + cmd.Parameters.AddWithValue("?description", assetDescription); cmd.Parameters.AddWithValue("?assetType", asset.Type); cmd.Parameters.AddWithValue("?local", asset.Local); cmd.Parameters.AddWithValue("?temporary", asset.Temporary); diff --git a/OpenSim/Data/MySQL/MySQLInventoryData.cs b/OpenSim/Data/MySQL/MySQLInventoryData.cs index e48f26a..a4b8663 100644 --- a/OpenSim/Data/MySQL/MySQLInventoryData.cs +++ b/OpenSim/Data/MySQL/MySQLInventoryData.cs @@ -471,6 +471,20 @@ namespace OpenSim.Data.MySQL + ", ?inventoryBasePermissions, ?inventoryEveryOnePermissions, ?inventoryGroupPermissions, ?salePrice, ?saleType, ?creationDate" + ", ?groupID, ?groupOwned, ?flags)"; + string itemName = item.Name; + if (item.Name.Length > 64) + { + itemName = item.Name.Substring(0, 64); + m_log.Warn("[INVENTORY DB]: Name field truncated from " + item.Name.Length + " to " + itemName.Length + " characters on add item"); + } + + string itemDesc = item.Description; + if (item.Description.Length > 128) + { + itemDesc = item.Description.Substring(0, 128); + m_log.Warn("[INVENTORY DB]: Description field truncated from " + item.Description.Length + " to " + itemDesc.Length + " characters on add item"); + } + try { database.CheckConnection(); @@ -481,8 +495,8 @@ namespace OpenSim.Data.MySQL result.Parameters.AddWithValue("?assetType", item.AssetType.ToString()); result.Parameters.AddWithValue("?parentFolderID", item.Folder.ToString()); result.Parameters.AddWithValue("?avatarID", item.Owner.ToString()); - result.Parameters.AddWithValue("?inventoryName", item.Name); - result.Parameters.AddWithValue("?inventoryDescription", item.Description); + result.Parameters.AddWithValue("?inventoryName", itemName); + result.Parameters.AddWithValue("?inventoryDescription", itemDesc); result.Parameters.AddWithValue("?inventoryNextPermissions", item.NextPermissions.ToString()); result.Parameters.AddWithValue("?inventoryCurrentPermissions", item.CurrentPermissions.ToString()); @@ -575,13 +589,20 @@ namespace OpenSim.Data.MySQL "REPLACE INTO inventoryfolders (folderID, agentID, parentFolderID, folderName, type, version) VALUES "; sql += "(?folderID, ?agentID, ?parentFolderID, ?folderName, ?type, ?version)"; + string folderName = folder.Name; + if (folderName.Length > 64) + { + folderName = folderName.Substring(0, 64); + m_log.Warn("[INVENTORY DB]: Name field truncated from " + folder.Name.Length + " to " + folderName.Length + " characters on add folder"); + } + database.CheckConnection(); MySqlCommand cmd = new MySqlCommand(sql, database.Connection); cmd.Parameters.AddWithValue("?folderID", folder.ID.ToString()); cmd.Parameters.AddWithValue("?agentID", folder.Owner.ToString()); cmd.Parameters.AddWithValue("?parentFolderID", folder.ParentID.ToString()); - cmd.Parameters.AddWithValue("?folderName", folder.Name); + cmd.Parameters.AddWithValue("?folderName", folderName); cmd.Parameters.AddWithValue("?type", (short) folder.Type); cmd.Parameters.AddWithValue("?version", folder.Version); -- cgit v1.1