[TinyOWS-dev] A few bug reports...

Okapi okapi at lapatate.org
Tue Oct 5 18:56:58 EST 2010 

Hi,

Here is a match for the first issue,  "#36 Prevent SQL Injections
coming from the requests".
I have tested it with simple quotes, double quotes, and "&", with both
feature insertion & update. It works.

Will come back soon for the other issues.

I remember another one :
For insertions or updates, the XML validator seems to expect feature
attribute elements (<feature:*>) to be in the same order than database
fields order. I think this is a bug. Isn't it ?


Okapi


2010/9/30 Olivier Courtin <olivier.courtin at oslandia.com>:
>
> On Sep 28, 2010, at 11:23 PM, Okapi wrote:
>
>
> Hi,
>
>> First of all, thanks for all the work done on this project and letting
>> me access my PostGIS features more easily that any other program would
>> do!
>> I appreciate hosting a light CGI for the WFS service, rather than a
>> heavy Java solution consuming memory permanently.
>
> Thanks :)
>
>>
>> I have a few bugs to report, which do not seem to appear in the Active
>> tickets report. I'm using the code of revision 313.
>>
>> ------------
>> 1. Strings not escaped properly in pg queries
>>   TinyOWS fails to insert features containing a string with a quote!
>>   wfs_insert_xml() inserts features into the DB through calling
>> wfs_retrieve_value() to encode the string en enclose it within quotes.
>> That function should use the PG native escape function rather than
>> xmlEncodeSpecialChars().
>>
>>   I saw "#36 Prevent SQL Injections coming from the requets":
>> indeed, if quotes are not escaped, the SQL injection is very easy to
>> do. This bug, if confirmed, is a severe and urgent one!
>
> Ok i agree this one is becoming now the priority !
> had to check also on update operation and in filter encoding string.
>
>
>> 2. First declared namespace applies to all layers in config
>>   Example (keeping only <layer> elements and only the "server"
>> attribute):
>>   <tinyows>
>>       <layer name="layer1" server="http://test.domain.net/"/>
>>       <layer name="layer2" server="http://other.domain.net/"/>
>>       <layer name="layer3" server="http://yet.another.domain.net/"/>
>>   </tinyows>
>>   Here, all three layers will appear to be in schema
>> "http://test.domain.net/".
>>   I noticed that by using test/unit_test with OWS_DEBUG=1 to
>> understand why "xml isn't valid". Reading in the XML parser messages
>> what fully-qualified element names it expects, I understood that it
>> expected <http://test.domain.net/:layer2> and not
>> <http://other.domain.net/:layer2>. I changed things around to check,
>> and it seems that the first declared layer imposes its namespace to
>> all others.
>>
>
> Ok,
>
>>
>> 3. $TINYOWS_CONFIG_FILE confused with /usr/local/...'s
>>   This way of setting the config path is just the perfect way. With
>> a SetEnv directive in the Apache virtual host, it's easy for each
>> website to have it's own tinyows.xml. That's what I do and I needed
>> it.
>>   But I got a strange behaviour : the layers in the
>> $TINYOWS_CONFIG_FILE file which are not also declared in the site
>> config file were not taken into account. `tinyows --check` is OK
>> though, but schema validation for Insert requests seems to read the
>> other file. The DescribeFeatureType request is OK though. And
>> unit/unit_test seems also to ignore the env variable for an Insert
>> request.
>>   I haven't yet checked the code for possible duplicate code related
>> to config file loading.
>
> Strange indeed as config file access is centralized and perform so
> early in the process.
>
>
>
>> ------------
>>
>> That's all for now!
>
> Thanks for all theses detailled report !
>
>>
>> I'm sending this to the dev ML as I have no right to post them to the
>> trac. How should I report them in the future?
>
> You just have to create a new account on trac,
> and then login with it to be able to create a new ticket
> (or to write on WIKI)
>
>> I can try to fix these issues in the code, but I need some basic
>> explanations about how things are managed related to these issues.
>
> You're welcome !
> I can provide explanations to help you on this,
>
> Don't hesitate to send patch
>
> (Will not have time before tomorrow evening to look on the first one.)
>
>
> --
> Olivier
> _______________________________________________
> TinyOWS-dev mailing list
> TinyOWS-dev at lists.maptools.org
> http://lists.maptools.org/mailman/listinfo/tinyows-dev
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tinyows.ticket36.sqlEscaping.diff
Type: text/x-patch
Size: 993 bytes
Desc: not available
Url : http://lists.maptools.org/pipermail/tinyows-dev/attachments/20101006/7e31fa1a/attachment.bin

More information about the TinyOWS-dev mailing list