From 9dceaa9c75655a5c0f1b11d96d0e306d32c40b5a Mon Sep 17 00:00:00 2001
From: David Anderson <davea@ssl.berkeley.edu>
Date: Mon, 21 Dec 2009 00:58:58 +0000
Subject: [PATCH] - scheduler: fix SQL injection vulnerability

svn path=/branches/server_stable/; revision=19996
---
 checkin_notes            | 5 +++++
 sched/handle_request.cpp | 5 ++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/checkin_notes b/checkin_notes
index 30944e1d9a..ba301f7d54 100644
--- a/checkin_notes
+++ b/checkin_notes
@@ -8896,3 +8896,8 @@ David  6 Nov 2009
     db/
         boinc_db.cpp
 
+David  20 Dec 2009
+    - scheduler: fix SQL injection vulnerability
+
+    sched/
+        handle_request.cpp
diff --git a/sched/handle_request.cpp b/sched/handle_request.cpp
index 0764b800c7..48defae383 100644
--- a/sched/handle_request.cpp
+++ b/sched/handle_request.cpp
@@ -599,7 +599,10 @@ int send_result_abort() {
         orp.reason = ABORT_REASON_NOT_FOUND;
         if (i > 0) result_names.append(", ");
         result_names.append("'");
-        result_names.append(orp.name);
+        char buf[1024];
+        strcpy(buf, orp.name);
+        escape_string(buf, 1024);
+        result_names.append(buf);
         result_names.append("'");
     }