[GRASS-dev] [GRASS GIS] #2252: wxGUI vector digitizer passing unescaped text to database
GRASS GIS
trac at osgeo.org
Fri Jul 18 10:35:44 PDT 2014
#2252: wxGUI vector digitizer passing unescaped text to database
-----------------------------------------------------------------------------+
Reporter: marisn | Owner: grass-dev@…
Type: defect | Status: new
Priority: blocker | Milestone: 7.0.0
Component: wxGUI | Version: svn-trunk
Keywords: security, code injection, SQL injection, data loss, v.db.update | Platform: Unspecified
Cpu: Unspecified |
-----------------------------------------------------------------------------+
Comment(by wenzeslaus):
[source:grass/trunk/gui/wxpython/vdigit/wxdigit.py?rev=60817
vdigit/wxdigit] is calling `db_set_string()` (or other db related
functions) at several places but I'm not able to spot quickly where are
the vulnerable places.
[source:grass/trunk/scripts/v.db.update/v.db.update.py?rev=59236#L92
v.db.update] also does not attempt to avoid SQL injection. And by the way,
`db.execute` even cannot.
In this case,
[source:grass/trunk/lib/python/pygrass/vector/table.py?rev=60969 PyGRASS]
has the best potential to handle these things correctly, since it is using
Python `sqlite3` package directly (although it should use GRASS library to
get all drivers).
Perhaps the library itself should provide a mechanism to handle user input
in a correct way using the proper database API for it or some custom code
(or nothing) if it is not available for the given database.
--
Ticket URL: <https://trac.osgeo.org/grass/ticket/2252#comment:2>
GRASS GIS <http://grass.osgeo.org>
More information about the grass-dev
mailing list