<div dir="ltr">Hi,<div><br></div><div>I was expanding saveStyle functionality in spatialite provider using the same code model used in PostgreSQL provider.</div><div>Reading the c++ code of the provider I figure out a possible vulnerability to SQL Injections.<br>
</div><div><br></div><div>QGIS PostgreSQL provider [1] extensively use of two internal functions to prevent injection</div><div><br></div><div>
<pre style="margin-top:0px;margin-bottom:0px"><span style="color:rgb(128,0,128)">[2] QString</span><span style="color:rgb(192,192,192)"> </span><span style="color:rgb(128,0,128)">QgsPostgresConn</span><span style="color:rgb(0,0,0)">::</span><span style="color:rgb(0,0,0)">quotedValue</span><span style="color:rgb(0,0,0)">(</span><span style="color:rgb(192,192,192)"> </span><span style="color:rgb(128,0,128)">QVariant</span><span style="color:rgb(192,192,192)"> </span><span style="color:rgb(0,0,0)">value</span><span style="color:rgb(192,192,192)"> </span><span style="color:rgb(0,0,0)">)</span></pre>
<pre style="margin-top:0px;margin-bottom:0px"><span style="color:rgb(0,0,0);font-family:arial">and</span><br></pre><pre style="margin-top:0px;margin-bottom:0px"><pre style="margin-top:0px;margin-bottom:0px"><span style="font-family:arial;color:rgb(128,0,128)">[3] QString</span><span style="font-family:arial;color:rgb(192,192,192)"> </span><span style="font-family:arial;color:rgb(128,0,128)">QgsPostgresConn</span><span style="font-family:arial;color:rgb(0,0,0)">::</span><span style="font-family:arial;color:rgb(0,0,0)">quotedIdentifier</span><span style="font-family:arial;color:rgb(0,0,0)">(</span><span style="font-family:arial;color:rgb(192,192,192)"> </span><span style="font-family:arial;color:rgb(128,0,128)">QString</span><span style="font-family:arial;color:rgb(192,192,192)"> </span><span style="font-family:arial;color:rgb(0,0,0)">ident</span><span style="font-family:arial;color:rgb(192,192,192)"> </span><span style="font-family:arial;color:rgb(0,0,0)">)</span><br>
</pre><pre style="margin-top:0px;margin-bottom:0px"><font color="#000000"><br></font></pre><pre style="margin-top:0px;margin-bottom:0px"><span style="color:rgb(0,0,0)"><br></span></pre><pre style="margin-top:0px;margin-bottom:0px">
<span style="color:rgb(0,0,0)">but they quote only ' or \ so they are -not- enough to a complete sql injection protection [4]</span></pre><pre style="margin-top:0px;margin-bottom:0px"><span style="color:rgb(0,0,0)"><br>
</span></pre><pre style="margin-top:0px;margin-bottom:0px"><span style="color:rgb(0,0,0);font-family:arial">every DB have it's internal functions to manage this cases, but better use parametrized queries as in many parts of the provider... but not in all parts.</span></pre>
<pre style="margin-top:0px;margin-bottom:0px"><span style="color:rgb(0,0,0);font-family:arial"><br></span></pre><pre style="margin-top:0px;margin-bottom:0px"><font color="#000000" face="arial">using parametrized queries need an extensive rewrite of providers... a intermediate approach is to add specific quote_* call in the above functions</font></pre>
<pre style="margin-top:0px;margin-bottom:0px"><font color="#000000" face="arial"><br></font></pre><pre style="margin-top:0px;margin-bottom:0px"><font color="#000000" face="arial">let me know what do you think</font></pre>
<pre style="margin-top:0px;margin-bottom:0px"><font color="#000000" face="arial"><br></font></pre><pre style="margin-top:0px;margin-bottom:0px"><font color="#000000" face="arial">Luigi Pirelli (<a href="mailto:luigi.pirelli@faunalia.it">luigi.pirelli@faunalia.it</a> - <a href="mailto:luipir@gmail.com">luipir@gmail.com</a>)</font></pre>
<pre style="margin-top:0px;margin-bottom:0px"><span style="color:rgb(0,0,0);font-family:arial"><br></span></pre><pre style="margin-top:0px;margin-bottom:0px"><span style="color:rgb(0,0,0);font-family:arial">[1] </span><font color="#000000" face="arial"><a href="https://github.com/qgis/QGIS/blob/master/src/providers/postgres/qgspostgresprovider.cpp">https://github.com/qgis/QGIS/blob/master/src/providers/postgres/qgspostgresprovider.cpp</a></font></pre>
<pre style="margin-top:0px;margin-bottom:0px"><span style="color:rgb(0,0,0);font-family:arial">[2] </span><span style="color:rgb(0,0,0);font-family:arial"><a href="https://github.com/qgis/QGIS/blob/master/src/providers/postgres/qgspostgresconn.cpp#L752">https://github.com/qgis/QGIS/blob/master/src/providers/postgres/qgspostgresconn.cpp#L752</a></span></pre>
<pre style="margin-top:0px;margin-bottom:0px"><font color="#000000">[3] </font><span style="color:rgb(0,0,0);font-family:arial"><a href="https://github.com/qgis/QGIS/blob/master/src/providers/postgres/qgspostgresconn.cpp#L759">https://github.com/qgis/QGIS/blob/master/src/providers/postgres/qgspostgresconn.cpp#L759</a></span></pre>
<pre style="margin-top:0px;margin-bottom:0px"><span style="font-family:arial;color:rgb(0,0,0)">[4] </span><font color="#000000" style="font-family:arial"><a href="http://www.sqlinjectionwiki.com/Categories.aspx?catId=4">http://www.sqlinjectionwiki.com/Categories.aspx?catId=4</a></font><span style="color:rgb(0,0,0);font-family:arial"> </span><br>
</pre><pre style="margin-top:0px;margin-bottom:0px"><span style="color:rgb(0,0,0);font-family:arial"><br></span></pre><pre style="margin-top:0px;margin-bottom:0px"><br></pre></pre></div></div>