Overview

File quassel-CVE-2013-4422.patch of Package quassel.4391

From 6605882f41331c80f7ac3a6992650a702ec71283 Mon Sep 17 00:00:00 2001
From: Michael Marley <michael@michaelmarley.com>
Date: Thu, 23 Apr 2015 08:46:43 -0400
Subject: [PATCH] Execute initDbSession() on DB reconnects

Previously, the initDbSession() function would only be run on the
initial connect.  Since the initDbSession() code in PostgreSQL is
used to fix the CVE-2013-4422 SQL Injection bug, this means that
Quassel was still vulnerable to that CVE if the PostgreSQL server
is restarted or the connection is lost at any point while Quassel
is running.

This bug also causes the Qt5 psql timezone fix to stop working
after a reconnect.

The fix is to disable Qt's automatic reconnecting, check the
connection status ourselves, and reconnect if necessary, executing
the initDbSession() function afterward.
---
 src/core/abstractsqlstorage.cpp | 15 ++++++++++++++-
 src/core/abstractsqlstorage.h   |  1 +
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/core/abstractsqlstorage.cpp b/src/core/abstractsqlstorage.cpp
index cb07454..dce39cb 100644
--- a/src/core/abstractsqlstorage.cpp
+++ b/src/core/abstractsqlstorage.cpp
@@ -53,7 +53,14 @@ QSqlDatabase AbstractSqlStorage::logDb()
     if (!_connectionPool.contains(QThread::currentThread()))
         addConnectionToPool();
 
-    return QSqlDatabase::database(_connectionPool[QThread::currentThread()]->name());
+    QSqlDatabase db = QSqlDatabase::database(_connectionPool[QThread::currentThread()]->name(),false);
+
+    if (!db.isOpen()) {
+        qWarning() << "Database connection" << displayName() << "for thread" << QThread::currentThread() << "was lost, attempting to reconnect...";
+        dbConnect(db);
+    }
+
+    return db;
 }
 
 
@@ -90,6 +97,12 @@ void AbstractSqlStorage::addConnectionToPool()
         db.setPassword(password());
     }
 
+    dbConnect(db);
+}
+
+
+void AbstractSqlStorage::dbConnect(QSqlDatabase &db)
+{
     if (!db.open()) {
         quWarning() << "Unable to open database" << displayName() << "for thread" << QThread::currentThread();
         quWarning() << "-" << db.lastError().text();
diff --git a/src/core/abstractsqlstorage.h b/src/core/abstractsqlstorage.h
index 90a8aa9..c39e826 100644
--- a/src/core/abstractsqlstorage.h
+++ b/src/core/abstractsqlstorage.h
@@ -87,6 +87,7 @@ private slots:
 
 private:
     void addConnectionToPool();
+    void dbConnect(QSqlDatabase &db);
 
     int _schemaVersion;
     bool _debug;
openSUSE Build Service is sponsored by
Places