[GRASS-dev] bug in v.db.renamecol [was: Re: [GRASS-user] Rename
multiple sqlite columns at once]
Glynn Clements
glynn at gclements.plus.com
Wed Nov 19 08:04:53 EST 2008
Hamish wrote:
> > Don't think that table names can have spaces
>
> it doesn't matter if they can really have spaces, it matters if a user who
> thinks they could have spaces tries that. The goal is that the module
> does not fail in a bizzare way in that case, but with a useful error
> message from the correct place.
>
> if modules are run live from the web, an unquoted variable could include
> something like table="dbf; run_evil_command; #", and without quoting
> they have all the shell access they want. (well, I'm not totally sure
> about that, but it scares me enough to be pedantic about it for shell
> scripts)
If modules are run live from the web, there are plenty of other
problems to worry about (buffer overflows, system(), etc).
A web interface would need to validate all input using a "default-deny"
approach, i.e. define what consitutes "valid" input and reject
everything else.
--
Glynn Clements <glynn at gclements.plus.com>
More information about the grass-dev
mailing list