[TinyOWS-dev] A few bug reports...

Okapi okapi at lapatate.org
Tue Oct 5 18:56:58 EST 2010


Here is a match for the first issue,  "#36 Prevent SQL Injections
coming from the requests".
I have tested it with simple quotes, double quotes, and "&", with both
feature insertion & update. It works.

Will come back soon for the other issues.

I remember another one :
For insertions or updates, the XML validator seems to expect feature
attribute elements (<feature:*>) to be in the same order than database
fields order. I think this is a bug. Isn't it ?


2010/9/30 Olivier Courtin <olivier.courtin at oslandia.com>:
> On Sep 28, 2010, at 11:23 PM, Okapi wrote:
> Hi,
>> First of all, thanks for all the work done on this project and letting
>> me access my PostGIS features more easily that any other program would
>> do!
>> I appreciate hosting a light CGI for the WFS service, rather than a
>> heavy Java solution consuming memory permanently.
> Thanks :)
>> I have a few bugs to report, which do not seem to appear in the Active
>> tickets report. I'm using the code of revision 313.
>> ------------
>> 1. Strings not escaped properly in pg queries
>>   TinyOWS fails to insert features containing a string with a quote!
>>   wfs_insert_xml() inserts features into the DB through calling
>> wfs_retrieve_value() to encode the string en enclose it within quotes.
>> That function should use the PG native escape function rather than
>> xmlEncodeSpecialChars().
>>   I saw "#36 Prevent SQL Injections coming from the requets":
>> indeed, if quotes are not escaped, the SQL injection is very easy to
>> do. This bug, if confirmed, is a severe and urgent one!
> Ok i agree this one is becoming now the priority !
> had to check also on update operation and in filter encoding string.
>> 2. First declared namespace applies to all layers in config
>>   Example (keeping only <layer> elements and only the "server"
>> attribute):
>>   <tinyows>
>>       <layer name="layer1" server="http://test.domain.net/"/>
>>       <layer name="layer2" server="http://other.domain.net/"/>
>>       <layer name="layer3" server="http://yet.another.domain.net/"/>
>>   </tinyows>
>>   Here, all three layers will appear to be in schema
>> "http://test.domain.net/".
>>   I noticed that by using test/unit_test with OWS_DEBUG=1 to
>> understand why "xml isn't valid". Reading in the XML parser messages
>> what fully-qualified element names it expects, I understood that it
>> expected <http://test.domain.net/:layer2> and not
>> <http://other.domain.net/:layer2>. I changed things around to check,
>> and it seems that the first declared layer imposes its namespace to
>> all others.
> Ok,
>> 3. $TINYOWS_CONFIG_FILE confused with /usr/local/...'s
>>   This way of setting the config path is just the perfect way. With
>> a SetEnv directive in the Apache virtual host, it's easy for each
>> website to have it's own tinyows.xml. That's what I do and I needed
>> it.
>>   But I got a strange behaviour : the layers in the
>> $TINYOWS_CONFIG_FILE file which are not also declared in the site
>> config file were not taken into account. `tinyows --check` is OK
>> though, but schema validation for Insert requests seems to read the
>> other file. The DescribeFeatureType request is OK though. And
>> unit/unit_test seems also to ignore the env variable for an Insert
>> request.
>>   I haven't yet checked the code for possible duplicate code related
>> to config file loading.
> Strange indeed as config file access is centralized and perform so
> early in the process.
>> ------------
>> That's all for now!
> Thanks for all theses detailled report !
>> I'm sending this to the dev ML as I have no right to post them to the
>> trac. How should I report them in the future?
> You just have to create a new account on trac,
> and then login with it to be able to create a new ticket
> (or to write on WIKI)
>> I can try to fix these issues in the code, but I need some basic
>> explanations about how things are managed related to these issues.
> You're welcome !
> I can provide explanations to help you on this,
> Don't hesitate to send patch
> (Will not have time before tomorrow evening to look on the first one.)
> --
> Olivier
> _______________________________________________
> TinyOWS-dev mailing list
> TinyOWS-dev at lists.maptools.org
> http://lists.maptools.org/mailman/listinfo/tinyows-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tinyows.ticket36.sqlEscaping.diff
Type: text/x-patch
Size: 993 bytes
Desc: not available
Url : http://lists.maptools.org/pipermail/tinyows-dev/attachments/20101006/7e31fa1a/attachment.bin 

More information about the TinyOWS-dev mailing list