Validating filters...

[Steve Lime]

You can't override via the syntax map.layer[...] syntax in 5.0 but doing an 
attribute query has the same effect. Any suggestions on what sanitization would
look like? If there were a series of patterns that could be applied against
the qstring? We could define a FILTERPATTERN and apply it... Need to do 
something for 5.0 in my opinion.

Steve

>>> Frank Warmerdam <warmerdam at pobox.com> 08/31/07 10:12 AM >>>
Steve Lime wrote:
> Hi guys: Question for the driver maintainers. What do the various drivers do
> to validate layer->filter values before they are passed to the underlying
> processing engine. The reason I ask is that attribute queries pass the value
> for qstring directly from the URL to the driver via the FILTER. That code
> doesn't attempt to sanitize the value at all. It doesn't know what to escape
> for say with PostgresSQL vs. SDE vs. Oracle. I'm worried about the
> possibility of SQL injection...

Steve,

OGR itself makes no effort to sanitize or check attribute filters before
evaluating them against the datastore - ie. run them inside the database.

I skimmed mapogr.cpp and there is no sign of checking there either.

So, I think it is quite dangerous to default to allowing the FILTER
to be overridden by url.

Best regards,
-- 
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up   | Frank Warmerdam, warmerdam at pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush    | President OSGeo, http://osgeo.org