[TinyOWS-dev] [tinyows] #30: Lierals in filter encoding and validation to know if it is a text or not
Olivier Courtin
olivier.courtin at gmail.com
Thu Apr 23 02:00:15 EST 2009
Assefa,
Sorry for the delay on this one. I committed a 'partial' fix allowing to
> detect if a value passed is numeric (r134)
Ok thanks for this !
> I was not sure exactly what should be done to prevent any SQL injection or
> even if it has to be done only here . Here is an interesting read about
> this http://www.securityfocus.com/infocus/1768.
Yeap,
All the controls and checks should be done for common parameter in
ows_request.c
Filter Encoding is a specific one, as we could only check at this stage that
it
validate against FE Schema. And we use some of the FE content to build SQL
query. So there's a specific risk there.
Maybe we should close this bug
If the behaviour is Ok for you, just do
> and open a specific bug on the SQL injection?
Yes we could, right now i'm still focus on OGC WFS unit tests,
but we will need more units tests to check:
- Security aspect
- Tinyows configuration directive
- Other output format thant GML
- ...
--
Olivier
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.maptools.org/pipermail/tinyows-dev/attachments/20090423/31ab198c/attachment.htm
More information about the TinyOWS-dev
mailing list