[GRASS-dev] [GRASS GIS] #2252: wxGUI vector digitizer passing unescaped text to database

GRASS GIS trac at osgeo.org
Tue Nov 24 11:45:47 PST 2015


#2252: wxGUI vector digitizer passing unescaped text to database
-------------------------+-------------------------------------------------
  Reporter:  marisn      |      Owner:  grass-dev@…
      Type:  defect      |     Status:  new
  Priority:  critical    |  Milestone:  7.0.0
 Component:  wxGUI       |    Version:  svn-trunk
Resolution:              |   Keywords:  security, code injection, SQL
       CPU:              |  injection, data loss, v.db.update
  Unspecified            |   Platform:  Unspecified
-------------------------+-------------------------------------------------

Comment (by marisn):

 Replying to [comment:8 mlennert]:
 > I would propose to close this bug, as I don't see any real issue at
 hand, here.
 I'll paste my answer to your comment as an error message I got from wxgui
 vector digitizer with current trunk:
 {{{
 DBMI-DBF driver error:
 SQL parser error (syntax error, unexpected NAME, expecting ')' or ','
 processing 'ing') in statement:
 INSERT INTO rm_me (cat,comments) VALUES (1,'you must be f'ing kidding;
 right?')
 Unable to execute statement.

 DBMI-DBF driver error:
 SQL parser error (syntax error, unexpected NAME, expecting ')' or ','
 processing 'ing') in statement:
 INSERT INTO rm_me (cat,comments) VALUES (1,'you must be f'ing kidding;
 right?')
 Unable to execute statement.

 KĻŪDA: Error while executing: 'INSERT INTO rm_me (cat,comments) VALUES
          (1,'you must be f'ing kidding; right?')'
 }}}

--
Ticket URL: <https://trac.osgeo.org/grass/ticket/2252#comment:9>
GRASS GIS <https://grass.osgeo.org>



More information about the grass-dev mailing list