[GRASS-dev] [GRASS GIS] #2252: wxGUI vector digitizer passing unescaped text to database
GRASS GIS
trac at osgeo.org
Fri Feb 13 11:40:31 PST 2015
#2252: wxGUI vector digitizer passing unescaped text to database
-----------------------------------------------------------------------------+
Reporter: marisn | Owner: grass-dev@…
Type: defect | Status: new
Priority: critical | Milestone: 7.0.0
Component: wxGUI | Version: svn-trunk
Keywords: security, code injection, SQL injection, data loss, v.db.update | Platform: Unspecified
Cpu: Unspecified |
-----------------------------------------------------------------------------+
Changes (by marisn):
* priority: blocker => critical
Comment:
Replying to [comment:6 mlennert]:
>
> Ok, I forgot the apostrophes.
>
> However, I tried deleting a table and haven't been able to do so:
>
> {{{
> db.execute sql="CREATE TABLE test_db_bug (id int)"
> v.db.update test_digit_new col=test_text val="';drop table
test_db_bug;'"
> }}}
>
> Table test_db_bug is still in the database. Same when I put the same
value in a text field in the digitizer: I get a similar error message to
yours above, but the table is not dropped.
>
> Apparently any apostrophe in the update value causes an error message. I
agree that the error message is not clear, but I cannot reproduce the
danger you see for database integrity.
>
> So my question remains, is this really a blocker ?
>
> Moritz
OK, OK. I'm downgrading priority. My attempts to execute drop table
somehow failed. I blame my poor SQL skills for it. Probably it is really
just a "no apostrophes in attribute text" rule without any (so far
confirmed) security issue.
--
Ticket URL: <http://trac.osgeo.org/grass/ticket/2252#comment:7>
GRASS GIS <http://grass.osgeo.org>
More information about the grass-dev
mailing list