| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Unbuffer python's stdio to avoid output getting stuck in buffer when
stdout is not a TTY. Normally buffers are flushed by `Py_Finalize` but
Boost has a long-standing issue preventing the proper shutdown of the
interpreter with `Py_Finalize` when embedded [1].
This applies the same fix as 139beba but to any ledger usage rather than
only the test suite. I removed `PYTHONUNBUFFERED=1` from tests as there
is no expectation that users should need to have this set for ledger to
function.
For example without this fix piping ledger into cat usually loses any
output (unless the output is large enough to cause the buffer to flush):
$ ./ledger -f "test/baseline/feat-value_py3.test" reg
<class 'bool'> True
[...]
$ ./ledger -f "test/baseline/feat-value_py3.test" reg | cat
$
Interestingly `--verify` causes `python_interpreter_t` to be destroyed
-- it doesn't appear to be otherwise -- which does call `Py_Finalize`.
As expected this fixes the issue but can also crash due to the boost
issue mentioned above:
$ ./ledger -f "test/baseline/feat-value_py3.test" --verify reg
<class 'bool'> True
[...]
Segmentation fault (core dumped)
$ ./ledger -f "test/baseline/feat-value_py3.test" --verify reg | cat
<class 'bool'> True
[...]
$
1. https://www.boost.org/doc/libs/1_62_0/libs/python/doc/html/tutorial/tutorial/embedding.html
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With python3 the `python` ledger command wound up loading the ledger
module shared library rather than using the builtin module as intended.
This resulted in duplicated initialization and crashing on cleanup. It
was also visible as duplicate converter warnings when importing ledger:
$ ./ledger --no-pager python
Python 3.7.5 (default, Nov 20 2019, 09:21:52)
[...]
>>> import ledger
/usr/lib/python3.7/importlib/_bootstrap.py:219: RuntimeWarning: to-Python converter for boost::posix_time::ptime already registered; second conversion method ignored.
[...]
/usr/lib/python3.7/importlib/_bootstrap.py:219: RuntimeWarning: to-Python converter for ledger::xact_t already registered; second conversion method ignored.
[...]
>>> ledger
<module 'ledger' from '/home/q/src/ledger/ledger.so'>
>>> exit()
Segmentation fault (core dumped)
After this change:
Python 3.7.5 (default, Nov 20 2019, 09:21:52)
[...]
>>> import ledger
>>> ledger
<module 'ledger' (built-in)>
>>> exit()
$
Switches to PyImport_AppendInittab from python::detail::init_module
because 1) that is what the boost docs and examples show and 2)
init_module appears to be undocumented and not intended for outside use.
Fixes #1867
|
| |
|
|
|
|
|
|
|
|
| |
Ensure strings passed to Py_Main have a terminating null character by
including the extra character allocated for terminating null in the size
passed to mbstowcs.
Fix argv index so all arguments are not copied to argv[0]. Fixes
potential buffer overflow due to passing argv[0] as destination with
argv[i + 1] src and size to mbstowcs.
|
| |
|
|
|
|
|
| |
This fixes #1833 for me. @jwiegley said it's reasonable change, and
nobody else took action so here it goes.
The patch is the same as proposed originally, modulo whitespace.
|
| | |
|
| |
|
|
|
| |
This joins together lots of the same underlying, averaging the reported price
and using the date of the oldest lot.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I expect an output of `ledger print` to be consumable by ledger.
But on the next journal
```
2019/11/25 * test
Foo 1 AAPL {1.00 EUR} [2019/11/24]
Bar
```
it prints [19-Nov-24], which it does not understand with default
options.
With this patch it prints [2019/11/24].
|
| | |
|
| | |
|
| |
|
|
| |
Fixes #1816
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
'%F' is equivalent to '%Y-%m-%d'. Using the '%F' format without this
change this would not give any hard errors but instead give dates with
wrong years because the 'has_year' trait would not be correctly
detected and thus parsed dates would get set to the current year.
Fixes #1775
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If a tag is more than 2 characters from the beginning of the comment the
tag value offset will be wrong. #1702 gives an example where the tag
line starts with `;;` and the tag value thus becomes `: Bar` because of
this bug.
The use `index` in the offset calulation seems to be a lucky coincidence
that works in the common case: "; tag: value"
Fixes #1702
|
| |
|
|
| |
Fixes #1753
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On macOS, CMake detects the Boost.Python component installed by
homebrew only when named "python27". Thus this change not only adds a
Travis CI setup for macOS, but also a CMake option to switch the
component name between "python" and "python27". In addition,
precompiling system.hh does not work with the current setup for Clang,
so another CMake option to disable it is added.
The currently used commands to compile specific versions of Boost do
not produce a result that works out of the box on macOS. It should be
possible just to mimic homebrew's formula for boost-python
(https://github.com/Homebrew/homebrew-core/blob/master/Formula/boost-python.rb),
but for the moment on macOS this change tests only against Boost
installed by homebrew.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using the `--gain` option the `temporaries_t` in
`changed_value_posts` filter stores a reference to the `<Revalued>` temp
account created in `display_filter_posts`. When destroying the filter
chain `display_filter_posts` is destroyed before `changed_value_posts`
and this can result in a use-after-free in `temporaries_t::clear()` when
`temps` in `changed_value_posts` is cleared during destruction if there
are any temp posts referencing the `<Revalued>` account.
Fix the issue by clearing the `temporaries_t` in `changed_value_posts`
before destroying the rest of the filter chain (which includes
`display_filter_posts`).
Fixes #541
|
| |
|
|
|
|
|
|
|
| |
CMAKE_CXX_COMPILER is the path to the compiler binary and does not
need to follow a specific pattern. For example, on Linux with GCC and
without an explicit "-DCMAKE_CXX_COMPILER:PATH=" option,
CMAKE_CXX_COMPILER is "/usr/bin/c++" which does not match "g++".
CMAKE_CXX_COMPILER_ID however will always reliably be "Clang" or
"GNU".
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is possible to create a stack overflow by giving an option that is
longer than the buffer that is used during option parsing because the
length of the input string is not checked.
Prevent the issue by always checking the input string length and
discarding options that does not fit in the buffer as invalid.
This issue has been assigned CVE-2017-12481.
Thanks to Gwan Yeong Kim for reporting this issue.
Fixes #1222
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is possible to create a stack overflow by giving a date that is
longer than the buffer that is used during date parsing because the
length of the input string is not checked. The `VERIFY` macro is only
enabled when debug-mode is enabled and the `--verify-memory` argument is
used.
Prevent the issue by always checking the input string length and
discarding dates that does not fit in the buffer as invalid.
This issue has been assigned CVE-2017-12482.
Fixes #1224
|
| |\
| |
| |
| |
| | |
nagakiran/timelog-checkin-multiple-accounts-at-a-time
Timelog: Not able to check-in to multiple accounts at a time
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Checking-in to multiple accounts at a time throws the following error
"When multiple check-ins are active, checking out requires an account"
Issue is that the acount name was sent as 3rd parameter to time_xact_t
constructor whereas it is supposed to be sent as 4th parameter
Corrected the argument position of account name in constructor call to
time_xact_t
|
| |\ \
| | |
| | | |
Compile strptime.cc only on Windows
|
| | | | |
|
| |\ \ \
| | | |
| | | |
| | | |
| | | | |
Drop conditionals for Boost earlier than 1.49
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Ledger requires Boost 1.49 or later and enforces this in
CMakeLists.txt. This means BOOST_VERSION will always be
104900 or higher. Also, since Boost 1.46,
BOOST_FILESYSTEM_VERSION is 3.
|
| |\ \ \ \
| | | | |
| | | | |
| | | | |
| | | | | |
Ignore null deferred postings
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
All-null transactions (i.e. a transaction where all postings have a null
amount) are discarded during parsing and the `xact` object is free'd.
But if the transaction contains a deferred posting this results in a
use-after-free vulnerability because a reference to the deferred posting
is stored in the account object which is later read when deferred
postings are applied after parsing is finished.
Ignore null deferred postings to prevent this – they should not have any
effect any way.
Thanks to Cory Duplantis for reporting this issue and providing an
initial analysis.
Ref TALOS-2017-0304, CVE-2017-2808
Fixes #1723
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This fixes #1655 by making the post_t::given_cost variable accessible
over python.
This allows access to the given cost of a posting. For example, here
it will be "-2 EUR":
A -2 XXX {1 EUR} [2018-01-01] @@ 2 EUR
If a per-unit cost is given, the given_cost variable will still
contain the cost of the posting. For example, here it will be
"-4 EUR":
B -2 XXX {1 EUR} [2018-01-01] @ 2 EUR
|
| | | | | | |
|
| |/ / / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
FreeBSD 4 was declared end-of-life in 2006
(https://lists.freebsd.org/pipermail/freebsd-security/2006-October/004111.html).
Currently, only FreeBSD 11 and 12 are supported
(https://www.freebsd.org/security/security.html#sup).
|
| |/ / /
| | |
| | |
| | |
| | | |
The code can be accessed by Git history and reused in a branch if
necessary.
|
| |/ /
| |
| |
| |
| |
| | |
Fixes:
Error: boost::bad_format_string: format-string is ill-formed
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Cory Duplantis reported that "A specially crafted journal file can
cause [an] integer underflow resulting in code execution". Cory
provided this test case:
Expenses:Food:Groceries $ 37.50 ; ] [=2004/01/01]
Note the ] that comes before [ after the ;.
This issue was reported and described in great detail by Cory Duplantis
of Cisco Talos. This issue is known as TALOS-2017-0303 and has been
assigned CVE-2017-2807. Cory's description can be found at
https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0303
Fixes #1722
|
| |\ \ |
|
| | |\ \
| | | |
| | | | |
Remove unnecessary include for sys/stat.h
|
