Validating filters...
Steve Lime
Steve.Lime at DNR.STATE.MN.US
Fri Aug 31 12:42:22 EDT 2007
Sorry to keep talking to myself. One other idea would be to use a metadata value
since this really only affect the CGI. Runtime subs are subject to a regex check using
a metadata key like param_validation_pattern. We could simple require a qstring_validation_pattern
for the layer to be queried. We'd apply in mapserv.c right before calling msQueryByAttribute.
Steve
>>> Steve Lime 08/31/07 11:10 AM >>>
I think we'll need a filterpattern at the layer or map level to handle this. I don't see
anyway to cover all the basis without users being able to apply something custom.
Other ideas or objections?
Steve
>>> Steve Lime <Steve.Lime at DNR.STATE.MN.US> 08/31/07 10:36 AM >>>
You can't override via the syntax map.layer[...] syntax in 5.0 but doing an
attribute query has the same effect. Any suggestions on what sanitization would
look like? If there were a series of patterns that could be applied against
the qstring? We could define a FILTERPATTERN and apply it... Need to do
something for 5.0 in my opinion.
Steve
>>> Frank Warmerdam <warmerdam at pobox.com> 08/31/07 10:12 AM >>>
Steve Lime wrote:
> Hi guys: Question for the driver maintainers. What do the various drivers do
> to validate layer->filter values before they are passed to the underlying
> processing engine. The reason I ask is that attribute queries pass the value
> for qstring directly from the URL to the driver via the FILTER. That code
> doesn't attempt to sanitize the value at all. It doesn't know what to escape
> for say with PostgresSQL vs. SDE vs. Oracle. I'm worried about the
> possibility of SQL injection...
Steve,
OGR itself makes no effort to sanitize or check attribute filters before
evaluating them against the datastore - ie. run them inside the database.
I skimmed mapogr.cpp and there is no sign of checking there either.
So, I think it is quite dangerous to default to allowing the FILTER
to be overridden by url.
Best regards,
--
---------------------------------------+--------------------------------------
I set the clouds in motion - turn up | Frank Warmerdam, warmerdam at pobox.com
light and sound - activate the windows | http://pobox.com/~warmerdam
and watch the world go round - Rush | President OSGeo, http://osgeo.org
More information about the mapserver-dev
mailing list