[mapguide-users] SQLite Failure with Empty Geometries

Wed Apr 28 00:47:46 PDT 2021

Typically when there is a risk that the geometry column could be null (like
in most databases) I connect to a filtered view of the data rather than the
table itself.

Just for those cases where I can't enforce a non-null geometry (like a
trigger with x/y columns)

On Wed, Apr 28, 2021, 8:38 AM Kyel Shippey <kshippey at juno.com> wrote:

> Hello all,
>
>
>
> We recently experienced a vulnerability in MapGuide when encountering a
> feature selection that contains “empty” geometries in SQLite. We have not
> examined whether it occurs in other file or database formats as well. We
> are operating on MapGuide 3.1.2 in 64-bit Windows with FDO 4.1 with PHP
> scripting.
>
>
>
> Empty geometries seem to include WKT values such as:
>
>                 POINT()
>
>                 LINESTRING()
>
>                 POLYGON()
>
>
>
> When looping over an MgFeatureReader collection that contains a feature
> like this, the logic fails when merely attempting to access the affected
> feature, so there is no opportunity to detect and gracefully bypass it:
>
>
>
> while($features->ReadNext()) {
>
> // breaks down before anything can happen
>
> // if this current item has an “empty” geometry
>
> }
>
>
>
> On our system, the failure is repeatably complete and devastating,
> requiring a full server reset which often does not suffice without
> additional monkeying on the /Repositores/Library/ and /Repositories/Site/
> database files, suggesting that some file database corruption might occur
> with this event.
>
>
>
> For our purposes, we had success in sanitizing our SQLite files by first
> processing them through GeoJSON. From there, ogr2ogr can utilize the
> AsText() in its sqlite dialect query and prevent these known culprits from
> propagating into our SQLite files library. But the underlying vulnerability
> still exists, whether on the MapGuide internals side or just for the SQLite
> FDO provider.
>
>
>
> This seemed worth bringing to everyone’s attention for consideration on
> the compiled engine code. I can provide a sample SQLite file for
> investigation if you like.
>
>
>
>
>
> Thank you,
>
>
>
> Kyel Shippey
>
>
> ____________________________________________________________
>
> Top News - Sponsored By Newser
> <https://www.newser.com/?utm_source=part&utm_medium=uol&utm_campaign=rss_taglines_more>
>
>    - *NY Post Reporter Who Wrote Fake 'Kam On In' Story Is Out*
>    <http://thirdpartyoffers.juno.com/TGL3132/60890f43a94bcf422e95st02vuc1>
>    - *Autopsy: Andrew Brown Was Shot 5 Times*
>    <http://thirdpartyoffers.juno.com/TGL3132/60890f43ccc22f422e95st02vuc2>
>    - *Appalachian Trail Killer Headed to Psych Facility*
>    <http://thirdpartyoffers.juno.com/TGL3132/60890f43f01bbf422e95st02vuc3>
>
> _______________________________________________
> mapguide-users mailing list
> mapguide-users at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/mapguide-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapguide-users/attachments/20210428/c7365636/attachment.html>