[TinyOWS-dev] A few bug reports...

Okapi okapi at lapatate.org
Tue Sep 28 16:23:56 EST 2010


First of all, thanks for all the work done on this project and letting
me access my PostGIS features more easily that any other program would
I appreciate hosting a light CGI for the WFS service, rather than a
heavy Java solution consuming memory permanently.

I have a few bugs to report, which do not seem to appear in the Active
tickets report. I'm using the code of revision 313.

1. Strings not escaped properly in pg queries
    TinyOWS fails to insert features containing a string with a quote!
    wfs_insert_xml() inserts features into the DB through calling
wfs_retrieve_value() to encode the string en enclose it within quotes.
That function should use the PG native escape function rather than

    I saw "#36 Prevent SQL Injections coming from the requets":
indeed, if quotes are not escaped, the SQL injection is very easy to
do. This bug, if confirmed, is a severe and urgent one!

2. First declared namespace applies to all layers in config
    Example (keeping only <layer> elements and only the "server" attribute):
        <layer name="layer1" server="http://test.domain.net/"/>
        <layer name="layer2" server="http://other.domain.net/"/>
        <layer name="layer3" server="http://yet.another.domain.net/"/>
    Here, all three layers will appear to be in schema
    I noticed that by using test/unit_test with OWS_DEBUG=1 to
understand why "xml isn't valid". Reading in the XML parser messages
what fully-qualified element names it expects, I understood that it
expected <http://test.domain.net/:layer2> and not
<http://other.domain.net/:layer2>. I changed things around to check,
and it seems that the first declared layer imposes its namespace to
all others.

3. $TINYOWS_CONFIG_FILE confused with /usr/local/...'s
    This way of setting the config path is just the perfect way. With
a SetEnv directive in the Apache virtual host, it's easy for each
website to have it's own tinyows.xml. That's what I do and I needed
    But I got a strange behaviour : the layers in the
$TINYOWS_CONFIG_FILE file which are not also declared in the site
config file were not taken into account. `tinyows --check` is OK
though, but schema validation for Insert requests seems to read the
other file. The DescribeFeatureType request is OK though. And
unit/unit_test seems also to ignore the env variable for an Insert
    I haven't yet checked the code for possible duplicate code related
to config file loading.

That's all for now!

I'm sending this to the dev ML as I have no right to post them to the
trac. How should I report them in the future?

I can try to fix these issues in the code, but I need some basic
explanations about how things are managed related to these issues.

Thanks again!


More information about the TinyOWS-dev mailing list