[GRASS-dev] [GRASS GIS] #2252: wxGUI vector digitizer passing unescaped text to database
GRASS GIS
trac at osgeo.org
Mon Jun 19 06:20:00 PDT 2017
#2252: wxGUI vector digitizer passing unescaped text to database
-------------------------+-------------------------------------------------
Reporter: marisn | Owner: grass-dev@…
Type: defect | Status: closed
Priority: critical | Milestone: 7.0.5
Component: wxGUI | Version: svn-trunk
Resolution: fixed | Keywords: security, code injection, SQL
CPU: | injection, data loss, v.db.update
Unspecified | Platform: Unspecified
-------------------------+-------------------------------------------------
Comment (by mlennert):
I don't think we have to reopen this ticket, but an interesting effort was
just done for QGIS Server:
[http://oslandia.com/en/2017/06/14/qgis-server-security-aspect/]
If anyone with SQL skills wants to try to wreck havoc on some GRASS
GISDBASE data, the feedback would obviously be more than welcome.
--
Ticket URL: <https://trac.osgeo.org/grass/ticket/2252#comment:20>
GRASS GIS <https://grass.osgeo.org>
More information about the grass-dev
mailing list