summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
...
| | * Fix use-after-free when destroying filter chainMichael Budde2019-01-282-0/+3
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When using the `--gain` option the `temporaries_t` in `changed_value_posts` filter stores a reference to the `<Revalued>` temp account created in `display_filter_posts`. When destroying the filter chain `display_filter_posts` is destroyed before `changed_value_posts` and this can result in a use-after-free in `temporaries_t::clear()` when `temps` in `changed_value_posts` is cleared during destruction if there are any temp posts referencing the `<Revalued>` account. Fix the issue by clearing the `temporaries_t` in `changed_value_posts` before destroying the rest of the filter chain (which includes `display_filter_posts`). Fixes #541
| * Merge pull request #1751 from ↵John Wiegley2019-01-272-4/+3
| |\ | | | | | | | | | | | | scfc/use-cmake-cxx-compiler-id-to-select-on-compiler Use CMAKE_CXX_COMPILER_ID for conditions based on compiler
| | * Use CMAKE_CXX_COMPILER_ID for conditions based on compilerTim Landscheidt2019-01-262-4/+3
| |/ | | | | | | | | | | | | | | | | CMAKE_CXX_COMPILER is the path to the compiler binary and does not need to follow a specific pattern. For example, on Linux with GCC and without an explicit "-DCMAKE_CXX_COMPILER:PATH=" option, CMAKE_CXX_COMPILER is "/usr/bin/c++" which does not match "g++". CMAKE_CXX_COMPILER_ID however will always reliably be "Clang" or "GNU".
| * Add short option -f (for --file) to man pageJonas Meurer2019-01-261-1/+1
| |
| * Fix possible stack overflow in option parsing routineMartin Michlmayr2019-01-263-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It is possible to create a stack overflow by giving an option that is longer than the buffer that is used during option parsing because the length of the input string is not checked. Prevent the issue by always checking the input string length and discarding options that does not fit in the buffer as invalid. This issue has been assigned CVE-2017-12481. Thanks to Gwan Yeong Kim for reporting this issue. Fixes #1222
| * Fix possible stack overflow in date parsing routineMichael Budde2019-01-263-1/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It is possible to create a stack overflow by giving a date that is longer than the buffer that is used during date parsing because the length of the input string is not checked. The `VERIFY` macro is only enabled when debug-mode is enabled and the `--verify-memory` argument is used. Prevent the issue by always checking the input string length and discarding dates that does not fit in the buffer as invalid. This issue has been assigned CVE-2017-12482. Fixes #1224
| * Merge pull request #1657 from ↵John Wiegley2019-01-251-1/+1
| |\ | | | | | | | | | | | | nagakiran/timelog-checkin-multiple-accounts-at-a-time Timelog: Not able to check-in to multiple accounts at a time
| | * Timelog: Not able to check-in to multiple accounts at a timeNaga Kiran2018-06-251-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Checking-in to multiple accounts at a time throws the following error "When multiple check-ins are active, checking out requires an account" Issue is that the acount name was sent as 3rd parameter to time_xact_t constructor whereas it is supposed to be sent as 4th parameter Corrected the argument position of account name in constructor call to time_xact_t
| * | Merge pull request #1726 from scfc/compile-strptime-only-on-windowsJohn Wiegley2019-01-252-5/+12
| |\ \ | | | | | | | | Compile strptime.cc only on Windows
| | * | Compile strptime.cc only on WindowsTim Landscheidt2019-01-162-5/+12
| | | |
| * | | Merge pull request #1736 from scfc/drop-conditionals-for-boost-earlier-than-1-49John Wiegley2019-01-257-62/+4
| |\ \ \ | | | | | | | | | | | | | | | | | | | | Drop conditionals for Boost earlier than 1.49
| | * | | Drop conditionals for Boost earlier than 1.49Tim Landscheidt2019-01-177-64/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ledger requires Boost 1.49 or later and enforces this in CMakeLists.txt. This means BOOST_VERSION will always be 104900 or higher. Also, since Boost 1.46, BOOST_FILESYSTEM_VERSION is 3.
| * | | | Merge pull request #1742 from scfc/rephrase-boost-build-matrixJohn Wiegley2019-01-253-96/+29
| |\ \ \ \ | | | | | | | | | | | | Rephrase Boost build matrix
| | * | | | Use build matrix to specify Boost versions for Travis CITim Landscheidt2019-01-223-45/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In Travis CI, versions of libraries, etc. to build against are typically specified in a build matrix. In addition, currently there is no way to build against the distribution-provided Boost version. This change uses a build matrix for BOOST_VERSION and allows that variable to be empty for building against the distribution-provided Boost version.
| | * | | | Remove broken and disabled Travis CI configurationsTim Landscheidt2019-01-223-51/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The Travis CI configurations for macOS, Clang on Linux and CheckTexinfo.py and CheckManpage.py are broken and disabled or ignored. They appear to be non-trivial to fix, so the current stub is probably more distracting than helpful while also making changes to the working Linux configuration more difficult.
| * | | | | Merge pull request #1743 from scfc/move-garbage-dat-to-test-using-itJohn Wiegley2019-01-253-32/+32
| |\ \ \ \ \ | | | | | | | | | | | | | | Move garbage-input.dat to test case using it
| | * | | | | Move garbage-input.dat to test case using itTim Landscheidt2019-01-223-32/+32
| | |/ / / /
| * | | | | Merge pull request #1744 from scfc/do-not-set-dependencies-for-target-checkJohn Wiegley2019-01-252-7/+0
| |\ \ \ \ \ | | | | | | | | | | | | | | Do not set dependencies for target check
| | * | | | | Do not set dependencies for target checkTim Landscheidt2019-01-222-7/+0
| | |/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The set_target_properties() commands themselves do not cause the tests to run if the target check is made, and as the target check executes ctest, all tests will be run anyway.
| * | | | | Merge pull request #1745 from mbudde/ignore-null-deferred-postingsJohn Wiegley2019-01-253-3/+13
| |\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ignore null deferred postings
| | * | | | | Ignore null deferred postingsMichael Budde2019-01-233-3/+13
| | |/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | All-null transactions (i.e. a transaction where all postings have a null amount) are discarded during parsing and the `xact` object is free'd. But if the transaction contains a deferred posting this results in a use-after-free vulnerability because a reference to the deferred posting is stored in the account object which is later read when deferred postings are applied after parsing is finished. Ignore null deferred postings to prevent this – they should not have any effect any way. Thanks to Cory Duplantis for reporting this issue and providing an initial analysis. Ref TALOS-2017-0304, CVE-2017-2808 Fixes #1723
| * | | | | Expose post_t::given_cost over pythonChristoph Dittmann2019-01-251-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes #1655 by making the post_t::given_cost variable accessible over python. This allows access to the given cost of a posting. For example, here it will be "-2 EUR": A -2 XXX {1 EUR} [2018-01-01] @@ 2 EUR If a per-unit cost is given, the given_cost variable will still contain the cost of the posting. For example, here it will be "-4 EUR": B -2 XXX {1 EUR} [2018-01-01] @ 2 EUR
| * | | | | Drop support for gcc 2 and earlierTim Landscheidt2019-01-2514-97/+65
| | | | | |
| * | | | | Remove workaround for isspace() on FreeBSD 4 and earlierTim Landscheidt2019-01-251-5/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | FreeBSD 4 was declared end-of-life in 2006 (https://lists.freebsd.org/pipermail/freebsd-security/2006-October/004111.html). Currently, only FreeBSD 11 and 12 are supported (https://www.freebsd.org/security/security.html#sup).
| * | | | | Add tzdata to build dependencies for UbuntuTim Landscheidt2019-01-253-4/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The test suite uses the symbolic time zone name "America/Chicago". To resolve that, the tzdata package needs to be installed. This fixes #1739.
| * | | | | Quick nitpick styling change/enhancementGonzalo Rizzo2019-01-251-6/+6
| |/ / / /
| * | | | Use standard GCC in Travis CITim Landscheidt2019-01-191-7/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 4c4367fe6b7f184605c900735fc5b646f45311c1 added some logic to compile Ledger with GCC 4.8 as Travis CI's Ubuntu Precise environments only offered 4.6 at that time. Since then, the default image has changed to Ubuntu Trusty which provides GCC 4.8.
| * | | | Merge pull request #1735 from scfc/remove-code-related-to-boost-facetsJohn Wiegley2019-01-172-82/+2
| |\ \ \ \ | | |/ / / | |/| | | Remove unused development code related to USE_BOOST_FACETS
| | * | | Remove unused development code related to USE_BOOST_FACETSTim Landscheidt2019-01-172-82/+2
| |/ / / | | | | | | | | | | | | | | | | The code can be accessed by Git history and reused in a branch if necessary.
| * | | Merge pull request #1733 from pascalfleury/ubuntu_deps_updateJohn Wiegley2019-01-172-49/+44
| |\ \ \ | | | | | | | | | | Ubuntu deps update
| | * | | Update README info.Pascal Fleury2019-01-171-9/+1
| | | | |
| | * | | update deps.Pascal Fleury2019-01-171-39/+42
| | | | |
| | * | | Make acprep work with Python3.Pascal Fleury2019-01-171-1/+1
| | |/ /
| * | | Merge pull request #1734 from tko/boost-fmtJohn Wiegley2019-01-172-4/+4
| |\ \ \ | | |/ / | |/| | Fix some boost format strings
| | * | Fix some boost format stringsTommi Komulainen2019-01-172-4/+4
| |/ / | | | | | | | | | | | | | | | Fixes: Error: boost::bad_format_string: format-string is ill-formed
| * | Fix parsing issue involving effective datesMartin Michlmayr2019-01-153-1/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Cory Duplantis reported that "A specially crafted journal file can cause [an] integer underflow resulting in code execution". Cory provided this test case: Expenses:Food:Groceries $ 37.50 ; ] [=2004/01/01] Note the ] that comes before [ after the ;. This issue was reported and described in great detail by Cory Duplantis of Cisco Talos. This issue is known as TALOS-2017-0303 and has been assigned CVE-2017-2807. Cory's description can be found at https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0303 Fixes #1722
| * | Merge pull request #1705 from scfc/move-have-editJohn Wiegley2019-01-142-13/+9
| |\ \ | | | | | | | | Use HAVE_EDIT only in main.cc
| | * \ Merge branch 'next' into move-have-editJohn Wiegley2019-01-1411-47/+56
| | |\ \ | | |/ / | |/| |
| * | | Merge pull request #1707 from scfc/remove-sys-stat-hJohn Wiegley2019-01-141-1/+0
| |\ \ \ | | | | | | | | | | Remove unnecessary include for sys/stat.h
| | * | | Remove unnecessary include for sys/stat.hTim Landscheidt2019-01-121-2/+1
| | | | |
| * | | | Merge pull request #1713 from scfc/remove-unicodeobject-hJohn Wiegley2019-01-141-1/+0
| |\ \ \ \ | | | | | | | | | | | | Remove unnecessary include for unicodeobject.h
| | * | | | Remove unnecessary include for unicodeobject.hTim Landscheidt2019-01-131-1/+0
| | |/ / /
| * | | | Merge pull request #1714 from scfc/remove-py-dump-relaxedJohn Wiegley2019-01-141-7/+1
| |\ \ \ \ | | | | | | | | | | | | Remove unused function py_dump_relaxed()
| | * | | | Remove unused function py_dump_relaxed()Tim Landscheidt2019-01-131-7/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The only user of py_dump_relaxed() was removed in commit 0bbb4f2f0cbaa6ffb5c7a2c018a3819cca0b2405.
| * | | | | Merge pull request #540 from scfc/fix-warnings-for-implicit-fallthroughJohn Wiegley2019-01-143-3/+3
| |\ \ \ \ \ | | | | | | | | | | | | | | Fix warnings for -Wimplicit-fallthrough
| | * | | | | Fix warnings for -Wimplicit-fallthroughTim Landscheidt2018-02-193-3/+3
| | | | | | |
| * | | | | | Merge pull request #1718 from scfc/fix-prepend-width-warningJohn Wiegley2019-01-141-3/+4
| |\ \ \ \ \ \ | | | | | | | | | | | | | | | | Fix warning about uninitialized variable prepend_width
| | * | | | | | Fix warning about uninitialized variable prepend_widthTim Landscheidt2019-01-141-3/+4
| | | |/ / / / | | |/| | | |
| * | | | | | Merge pull request #1719 from scfc/prefer-system-utf8-hJohn Wiegley2019-01-141-1/+2
| |\ \ \ \ \ \ | | | | | | | | | | | | | | | | Prefer system utf8cpp if available
| | * | | | | | Prefer system utf8cpp if availableTim Landscheidt2019-01-141-1/+2
| | |/ / / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The current logic always uses the bundled utf8cpp. This is contrary to the stated intent of commit 1d7dd3e082be8a046f21d4a2d51026ac3c1f7c14 if UTFCPP_PATH is not set explicitly.