[GRASS-dev] [GRASS GIS] #2252: wxGUI vector digitizer passing unescaped text to database

Tue Jul 29 16:29:03 PDT 2014

#2252: wxGUI vector digitizer passing unescaped text to database
-----------------------------------------------------------------------------+
 Reporter:  marisn                                                           |       Owner:  grass-dev@…              
     Type:  defect                                                           |      Status:  new                      
 Priority:  blocker                                                          |   Milestone:  7.0.0                    
Component:  wxGUI                                                            |     Version:  svn-trunk                
 Keywords:  security, code injection, SQL injection, data loss, v.db.update  |    Platform:  Unspecified              
      Cpu:  Unspecified                                                      |  
-----------------------------------------------------------------------------+

Comment(by wenzeslaus):

 If we decide to do this separately in each usage of database (places in
 GUI and each module for which it makes sense), there some people already
 [http://stackoverflow.com/questions/6514274/how-do-you-escape-strings-for-
 sqlite-table-column-names-in-python tried something] like this and there
 is even a
 [https://gist.github.com/1083518/584008c38a363c45acb84e4067b5188bb36e20f4
 Gist] dedicated to it.

 Here is the code from Gist:
 {{{
 #!python
     import codecs

     def quote_identifier(s, errors="strict"):
         encodable = s.encode("utf-8", errors).decode("utf-8")

         nul_index = encodable.find("\x00")

         if nul_index >= 0:
             error = UnicodeEncodeError("utf-8", encodable, nul_index,
 nul_index + 1, "NUL not allowed")
             error_handler = codecs.lookup_error(errors)
             replacement, _ = error_handler(error)
             encodable = encodable.replace("\x00", replacement)

         return "\"" + encodable.replace("\"", "\"\"") + "\""
 }}}

 {{{
 Given a string single argument, it will escape and quote it correctly or
 raise an exception. The second argument can be used to specify any error
 handler registered in [the `codecs` module][8]. The built-in ones are:

  - `'strict'`: raise an exception in case of an encoding error
  - `'replace'`: replace malformed data with a suitable replacement marker,
 such as `'?'` or `'\ufffd'`
  - `'ignore'`: ignore malformed data and continue without further notice
  - `'xmlcharrefreplace'`: replace with the appropriate XML character
 reference (for encoding only)
  - `'backslashreplace'`: replace with backslashed escape sequences (for
 encoding only)
 This doesn't check for reserved identifiers, so if you try to create a new
 `SQLITE_MASTER` table it won't stop you.
 }}}

 It is using Python package [https://docs.python.org/2/library/codecs.html
 codecs].

 But still it would be probably ideal to use database API for it and expose
 this through GRASS C API. Additionally, it would be interesting to do
 something PyGRASS tried to do: use Python API directly but use some GRASS
 functions to obtain the right database (backend).

-- 
Ticket URL: <https://trac.osgeo.org/grass/ticket/2252#comment:3>
GRASS GIS <http://grass.osgeo.org>