[GRASS-dev] [GRASS GIS] #2252: wxGUI vector digitizer passing unescaped text to database
GRASS GIS
trac at osgeo.org
Fri Feb 13 06:39:57 PST 2015
#2252: wxGUI vector digitizer passing unescaped text to database
-----------------------------------------------------------------------------+
Reporter: marisn | Owner: grass-dev@…
Type: defect | Status: new
Priority: blocker | Milestone: 7.0.0
Component: wxGUI | Version: svn-trunk
Keywords: security, code injection, SQL injection, data loss, v.db.update | Platform: Unspecified
Cpu: Unspecified |
-----------------------------------------------------------------------------+
Comment(by mlennert):
Replying to [comment:5 marisn]:
> Replying to [comment:4 mlennert]:
> > I can't reproduce this bug. I've tried with different SQL texts and
they all are just put into the text field in the attribute table.
> >
> > Maris, can you still confirm this bug ?
> Nothing has changed. Still text fields fail if a single apostrophe is
entered. Deleting whole database via text attribute entry field has been
left as an excise for reader ;)
Ok, I forgot the apostrophes.
However, I tried deleting a table and haven't been able to do so:
{{{
db.execute sql="CREATE TABLE test_db_bug (id int)"
v.db.update test_digit_new col=test_text val="';drop table test_db_bug;'"
}}}
Table test_db_bug is still in the database. Same when I put the same value
in a text field in the digitizer: I get a similar error message to yours
above, but the table is not dropped.
Apparently any apostrophe in the update value causes an error message. I
agree that the error message is not clear, but I cannot reproduce the
danger you see for database integrity.
So my question remains, is this really a blocker ?
Moritz
--
Ticket URL: <http://trac.osgeo.org/grass/ticket/2252#comment:6>
GRASS GIS <http://grass.osgeo.org>
More information about the grass-dev
mailing list