[GRASS-dev] [GRASS GIS] #2252: wxGUI vector digitizer passing unescaped text to database
GRASS GIS
trac at osgeo.org
Thu Jul 17 13:38:16 PDT 2014
#2252: wxGUI vector digitizer passing unescaped text to database
-----------------------------------------------------------------------------+
Reporter: marisn | Owner: grass-dev@…
Type: defect | Status: new
Priority: blocker | Milestone: 7.0.0
Component: wxGUI | Version: svn-trunk
Keywords: security, code injection, SQL injection, data loss, v.db.update | Platform: Unspecified
Cpu: Unspecified |
-----------------------------------------------------------------------------+
Changes (by wenzeslaus):
* keywords: => security, code injection, SQL injection, data loss,
v.db.update
Comment:
I don't know (and quick look into source code haven't told me) what is
used in digitizer as a backend. Library, Python SQLite API or modules?
I've tried `v.db.update` with map `bridges` copied from `PERMANENT` and
this was OK:
{{{
v.db.update map=bridges column=LOCATION value="; drop database
important_data;" where=cat=1
}}}
String "; drop database important_data;" saved to the database.
But this:
{{{
v.db.update map=bridges column=LOCATION value="'; drop database
important_data; SELECT 1='1" where=cat=1
}}}
removed all the values from the column `LOCATION`. I'm not getting any
error messages.
--
Ticket URL: <http://trac.osgeo.org/grass/ticket/2252#comment:1>
GRASS GIS <http://grass.osgeo.org>
More information about the grass-dev
mailing list