[Qgis-developer] SQL Injection vulnerability

Gino Pirelli luipir at gmail.com
Thu Mar 6 03:10:02 PST 2014


Hi,

I was expanding saveStyle functionality in spatialite provider using the
same code model used in PostgreSQL provider.
Reading the c++ code of the provider I figure out a possible vulnerability
to SQL Injections.

QGIS PostgreSQL provider [1] extensively use of two internal functions to
prevent injection

[2] QString QgsPostgresConn::quotedValue( QVariant value )

and

[3] QString QgsPostgresConn::quotedIdentifier( QString ident )



but they quote only ' or \ so they are -not- enough to a complete sql
injection protection [4]


every DB have it's internal functions to manage this cases, but better
use parametrized queries as in many parts of the provider... but not
in all parts.


using parametrized queries need an extensive rewrite of providers... a
intermediate approach is to add specific quote_* call in the above
functions


let me know what do you think


Luigi Pirelli (luigi.pirelli at faunalia.it - luipir at gmail.com)


[1] https://github.com/qgis/QGIS/blob/master/src/providers/postgres/qgspostgresprovider.cpp

[2] https://github.com/qgis/QGIS/blob/master/src/providers/postgres/qgspostgresconn.cpp#L752

[3] https://github.com/qgis/QGIS/blob/master/src/providers/postgres/qgspostgresconn.cpp#L759

[4]  http://www.sqlinjectionwiki.com/Categories.aspx?catId=4
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20140306/65a44842/attachment.html>


More information about the Qgis-developer mailing list