[GRASS-dev] bug in v.db.renamecol [was: Re: [GRASS-user] Rename multiple sqlite columns at once]

Glynn Clements glynn at gclements.plus.com
Wed Nov 19 08:04:53 EST 2008


Hamish wrote:

> > Don't think that table names can have spaces
> 
> it doesn't matter if they can really have spaces, it matters if a user who
> thinks they could have spaces tries that. The goal is that the module
> does not fail in a bizzare way in that case, but with a useful error
> message from the correct place.
> 
> if modules are run live from the web, an unquoted variable could include
> something like table="dbf; run_evil_command; #", and without quoting
> they have all the shell access they want. (well, I'm not totally sure
> about that, but it scares me enough to be pedantic about it for shell
> scripts)

If modules are run live from the web, there are plenty of other
problems to worry about (buffer overflows, system(), etc).

A web interface would need to validate all input using a "default-deny"
approach, i.e. define what consitutes "valid" input and reject
everything else.

-- 
Glynn Clements <glynn at gclements.plus.com>


More information about the grass-dev mailing list