Validating filters...
Steve Lime
Steve.Lime at DNR.STATE.MN.US
Fri Aug 31 11:36:53 EDT 2007
You can't override via the syntax map.layer[...] syntax in 5.0 but doing an
attribute query has the same effect. Any suggestions on what sanitization would
look like? If there were a series of patterns that could be applied against
the qstring? We could define a FILTERPATTERN and apply it... Need to do
something for 5.0 in my opinion.
Steve
>>> Frank Warmerdam <warmerdam at pobox.com> 08/31/07 10:12 AM >>>
Steve Lime wrote:
> Hi guys: Question for the driver maintainers. What do the various drivers do
> to validate layer->filter values before they are passed to the underlying
> processing engine. The reason I ask is that attribute queries pass the value
> for qstring directly from the URL to the driver via the FILTER. That code
> doesn't attempt to sanitize the value at all. It doesn't know what to escape
> for say with PostgresSQL vs. SDE vs. Oracle. I'm worried about the
> possibility of SQL injection...
Steve,
OGR itself makes no effort to sanitize or check attribute filters before
evaluating them against the datastore - ie. run them inside the database.
I skimmed mapogr.cpp and there is no sign of checking there either.
So, I think it is quite dangerous to default to allowing the FILTER
to be overridden by url.
Best regards,
--
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up | Frank Warmerdam, warmerdam at pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush | President OSGeo, http://osgeo.org
More information about the mapserver-dev
mailing list