[GRASS-dev] [GRASS GIS] #2252: wxGUI vector digitizer passing unescaped text to database

GRASS GIS trac at osgeo.org
Wed Apr 9 04:13:34 PDT 2014


#2252: wxGUI vector digitizer passing unescaped text to database
-------------------------+--------------------------------------------------
 Reporter:  marisn       |       Owner:  grass-dev@…              
     Type:  defect       |      Status:  new                      
 Priority:  blocker      |   Milestone:  7.0.0                    
Component:  wxGUI        |     Version:  svn-trunk                
 Keywords:               |    Platform:  Unspecified              
      Cpu:  Unspecified  |  
-------------------------+--------------------------------------------------
 It seems that it is not possible to enter attribute data for a new vector
 feature that is not valid SQL due to code being unable to pass user text
 to the database as text.

 Steps to reproduce:
  * Create a new vector data set;
  * Create a new text attribute column for it;
  * Digitize a new feature;
  * Provide following text as the attribute value: '; drop database
 important_data; '
  * Observe kaBOOM! as text is parsed by database instead of being properly
 escaped/passed as prepared statement to the DB.

 {{{
 DBMI-SQLite driver error:
 Error in sqlite3_prepare():
 near ";": syntax error

 DBMI-SQLite driver error:
 Error in sqlite3_prepare():
 near ";": syntax error

 KĻŪDA: Error while executing: 'INSERT INTO remove_me (cat,nosaukums)
          VALUES (3,''; drop database important_data; '')'
 }}}

 The issue will work also with more harmless examples like: It's fun

 For better effect enter value as: '); delete from MYVECTORMAP; select '

-- 
Ticket URL: <http://trac.osgeo.org/grass/ticket/2252>
GRASS GIS <http://grass.osgeo.org>



More information about the grass-dev mailing list