Overpass-API

Overpass-API copied to clipboard

I noticed that char* to {int, float, long} conversions mostly rely on atof, atoll and atoi functions. Unfortunately, there's no additional input validation to reject invalid queries like in the following example:

is_in(geom9349,12.48865);

Use of those functions is quite widespread in the statement directory. Preferably, additional validations should disregard leading and trailing spaces, and apply strict checks to identify valid numbers (either int values, or float/double).

atof: around.cc, bbox_query.cc, coord_query.cc, osm_script.cc, print.cc.. atoll: area_query.cc, changed.cc, coord_query.cc, id_query.cc, newer.cc, print.cc, user.cc.. atoi: changed.cc, newer.cc, osm_script.cc..

Similar: update_database happily processes negative objects ids, and treats them as unsigned values. This causes very strange issues down the road. Negative object ids need to be rejected right away.

[out:json];node(-105539580);out meta; returns Success /ssd/perfmmd/nodes.map Random_File: id too large for map file instead of "object id has to be to be a positive number"