[GRASS-dev] [GRASS GIS] #2252: wxGUI vector digitizer passing unescaped text to database
GRASS GIS
trac at osgeo.org
Thu Aug 18 07:41:05 PDT 2016
#2252: wxGUI vector digitizer passing unescaped text to database
-------------------------+-------------------------------------------------
Reporter: marisn | Owner: grass-dev@…
Type: defect | Status: new
Priority: critical | Milestone: 7.0.5
Component: wxGUI | Version: svn-trunk
Resolution: | Keywords: security, code injection, SQL
CPU: | injection, data loss, v.db.update
Unspecified | Platform: Unspecified
-------------------------+-------------------------------------------------
Comment (by annakrat):
Replying to [comment:14 annakrat]:
> In [changeset:"69153" 69153]:
> {{{
> #!CommitTicketReference repository="" revision="69153"
> wxGUI: escape single quotes when editing attributes from GUI, see #2252
> }}}
This deals with single quotes only, no security issue is solved by this.
So please test, I can backport it and decide what else to do with this
ticket. We should at least downgrade the priority if not close it at all.
--
Ticket URL: <https://trac.osgeo.org/grass/ticket/2252#comment:15>
GRASS GIS <https://grass.osgeo.org>
More information about the grass-dev
mailing list