[TinyOWS-dev] A few bug reports...

Okapi okapi at lapatate.org
Tue Sep 28 16:23:56 EST 2010 

Hi,

First of all, thanks for all the work done on this project and letting
me access my PostGIS features more easily that any other program would
do!
I appreciate hosting a light CGI for the WFS service, rather than a
heavy Java solution consuming memory permanently.

I have a few bugs to report, which do not seem to appear in the Active
tickets report. I'm using the code of revision 313.

------------
1. Strings not escaped properly in pg queries
    TinyOWS fails to insert features containing a string with a quote!
    wfs_insert_xml() inserts features into the DB through calling
wfs_retrieve_value() to encode the string en enclose it within quotes.
That function should use the PG native escape function rather than
xmlEncodeSpecialChars().

    I saw "#36 Prevent SQL Injections coming from the requets":
indeed, if quotes are not escaped, the SQL injection is very easy to
do. This bug, if confirmed, is a severe and urgent one!


2. First declared namespace applies to all layers in config
    Example (keeping only <layer> elements and only the "server" attribute):
    <tinyows>
        <layer name="layer1" server="http://test.domain.net/"/>
        <layer name="layer2" server="http://other.domain.net/"/>
        <layer name="layer3" server="http://yet.another.domain.net/"/>
    </tinyows>
    Here, all three layers will appear to be in schema
"http://test.domain.net/".
    I noticed that by using test/unit_test with OWS_DEBUG=1 to
understand why "xml isn't valid". Reading in the XML parser messages
what fully-qualified element names it expects, I understood that it
expected <http://test.domain.net/:layer2> and not
<http://other.domain.net/:layer2>. I changed things around to check,
and it seems that the first declared layer imposes its namespace to
all others.


3. $TINYOWS_CONFIG_FILE confused with /usr/local/...'s
    This way of setting the config path is just the perfect way. With
a SetEnv directive in the Apache virtual host, it's easy for each
website to have it's own tinyows.xml. That's what I do and I needed
it.
    But I got a strange behaviour : the layers in the
$TINYOWS_CONFIG_FILE file which are not also declared in the site
config file were not taken into account. `tinyows --check` is OK
though, but schema validation for Insert requests seems to read the
other file. The DescribeFeatureType request is OK though. And
unit/unit_test seems also to ignore the env variable for an Insert
request.
    I haven't yet checked the code for possible duplicate code related
to config file loading.
------------

That's all for now!

I'm sending this to the dev ML as I have no right to post them to the
trac. How should I report them in the future?

I can try to fix these issues in the code, but I need some basic
explanations about how things are managed related to these issues.


Thanks again!

Okapi

More information about the TinyOWS-dev mailing list