[PostGIS] #5697: fix or document id escaping for ST_EstimatedExtent params
PostGIS
trac at osgeo.org
Sat Mar 16 00:53:28 PDT 2024
#5697: fix or document id escaping for ST_EstimatedExtent params
----------------------+---------------------------
Reporter: Yuri | Owner: pramsey
Type: defect | Status: new
Priority: medium | Milestone: PostGIS 3.4.3
Component: postgis | Version: 3.4.x
Resolution: | Keywords:
----------------------+---------------------------
Description changed by Yuri:
Old description:
> Function ST_EstimatedExtent -
> https://postgis.net/docs/ST_EstimatedExtent.html has an usual param
> pattern - it requires schema, table, and geometry columns to be strings
> in some uncertain escaping - later it gets used directly without quotes
> in an internal schema/table identity lookup. (uncertain)
>
> As the result, it is not clear what escaping is needed in "complex"
> cases. Moreover, I suspect there might be a security bug here too, but
> not certain.
>
> I could not get this function to run for this (convoluted) case.
>
> {{{
> CREATE SCHEMA """Quotes' and Space.Dot.";
>
> CREATE TABLE """Quotes' and Space.Dot.".". Points"" 'quote"
> (
> "' id '" SERIAL PRIMARY KEY,
> ".namE " TEXT,
> ". '""Geom""" GEOMETRY(POINT, 4326)
> );
>
> INSERT INTO """Quotes' and Space.Dot.".". Points"" 'quote"
> values (1, '02daedc70702ec68753fde38351f5d9d',
> '0101000020E610000050C4D38CE9DA61401EFC0EC7C3DA2740'),
> (2, '7418427ba8a960c3661235f47cc13d46',
> '0101000020E6100000CC2F4170E9DA6140DEDB02B581DA2740');
>
> CREATE INDEX ON """Quotes' and Space.Dot.".". Points"" 'quote" USING GIST
> (". '""Geom""");
>
> SELECT ST_EstimatedExtent(?, ?, ?) as bounds;
>
> }}}
New description:
Function ST_EstimatedExtent -
https://postgis.net/docs/ST_EstimatedExtent.html has an usual param
pattern - it requires schema, table, and geometry columns to be strings in
some uncertain escaping - later it gets used directly without quotes in an
internal schema/table identity lookup. (uncertain)
As the result, it is not clear what escaping is needed in "complex" cases.
Moreover, I suspect there might be a security bug here too, but not
certain.
I could not get this function to run for this (convoluted) case.
{{{
CREATE SCHEMA """Quotes' and Space.Dot.";
CREATE TABLE """Quotes' and Space.Dot.".". Points"" 'quote"
(
"' id '" SERIAL PRIMARY KEY,
".namE " TEXT,
". '""Geom""" GEOMETRY(POINT, 4326)
);
INSERT INTO """Quotes' and Space.Dot.".". Points"" 'quote"
values (1, '02daedc70702ec68753fde38351f5d9d',
'0101000020E610000050C4D38CE9DA61401EFC0EC7C3DA2740'),
(2, '7418427ba8a960c3661235f47cc13d46',
'0101000020E6100000CC2F4170E9DA6140DEDB02B581DA2740');
CREATE INDEX ON """Quotes' and Space.Dot.".". Points"" 'quote" USING GIST
(". '""Geom""");
SELECT ST_EstimatedExtent(?, ?, ?) as bounds;
}}}
An even more convoluted case (might be better as it covers a few more edge
cases):
{{{
CREATE SCHEMA """Quotes' \ \' \"" and Space.Dot.";
CREATE TABLE """Quotes' \ \' \"" and Space.Dot.".". Points"" \ \' \""
'quote"
(
"' id '" SERIAL PRIMARY KEY,
".namE " TEXT,
". ' \ \' \"" ""Geom""" GEOMETRY(POINT, 4326)
);
INSERT INTO """Quotes' \ \' \"" and Space.Dot.".". Points"" \ \' \""
'quote"
values (1, '02daedc70702ec68753fde38351f5d9d',
'0101000020E610000050C4D38CE9DA61401EFC0EC7C3DA2740'),
(2, '7418427ba8a960c3661235f47cc13d46',
'0101000020E6100000CC2F4170E9DA6140DEDB02B581DA2740');
CREATE INDEX ON """Quotes' \ \' \"" and Space.Dot.".". Points"" \ \' \""
'quote" USING GIST (". ' \ \' \"" ""Geom""");
}}}
--
--
Ticket URL: <https://trac.osgeo.org/postgis/ticket/5697#comment:2>
PostGIS <http://trac.osgeo.org/postgis/>
The PostGIS Trac is used for bug, enhancement & task tracking, a user and developer wiki, and a view into the subversion code repository of PostGIS project.
More information about the postgis-tickets
mailing list