[GRASS-dev] [GRASS GIS] #2252: wxGUI vector digitizer passing unescaped text to database

GRASS GIS trac at osgeo.org
Fri Jul 18 10:35:44 PDT 2014

#2252: wxGUI vector digitizer passing unescaped text to database
 Reporter:  marisn                                                           |       Owner:  grass-dev@…              
     Type:  defect                                                           |      Status:  new                      
 Priority:  blocker                                                          |   Milestone:  7.0.0                    
Component:  wxGUI                                                            |     Version:  svn-trunk                
 Keywords:  security, code injection, SQL injection, data loss, v.db.update  |    Platform:  Unspecified              
      Cpu:  Unspecified                                                      |  

Comment(by wenzeslaus):

 vdigit/wxdigit] is calling `db_set_string()` (or other db related
 functions) at several places but I'm not able to spot quickly where are
 the vulnerable places.

 v.db.update] also does not attempt to avoid SQL injection. And by the way,
 `db.execute` even cannot.

 In this case,
 [source:grass/trunk/lib/python/pygrass/vector/table.py?rev=60969 PyGRASS]
 has the best potential to handle these things correctly, since it is using
 Python `sqlite3` package directly (although it should use GRASS library to
 get all drivers).

 Perhaps the library itself should provide a mechanism to handle user input
 in a correct way using the proper database API for it or some custom code
 (or nothing) if it is not available for the given database.

Ticket URL: <https://trac.osgeo.org/grass/ticket/2252#comment:2>
GRASS GIS <http://grass.osgeo.org>

More information about the grass-dev mailing list