[TinyOWS-dev] A few bug reports...

Olivier Courtin olivier.courtin at oslandia.com
Thu Sep 30 15:31:12 EST 2010 

On Sep 28, 2010, at 11:23 PM, Okapi wrote:


Hi,

> First of all, thanks for all the work done on this project and letting
> me access my PostGIS features more easily that any other program would
> do!
> I appreciate hosting a light CGI for the WFS service, rather than a
> heavy Java solution consuming memory permanently.

Thanks :)

>
> I have a few bugs to report, which do not seem to appear in the Active
> tickets report. I'm using the code of revision 313.
>
> ------------
> 1. Strings not escaped properly in pg queries
>   TinyOWS fails to insert features containing a string with a quote!
>   wfs_insert_xml() inserts features into the DB through calling
> wfs_retrieve_value() to encode the string en enclose it within quotes.
> That function should use the PG native escape function rather than
> xmlEncodeSpecialChars().
>
>   I saw "#36 Prevent SQL Injections coming from the requets":
> indeed, if quotes are not escaped, the SQL injection is very easy to
> do. This bug, if confirmed, is a severe and urgent one!

Ok i agree this one is becoming now the priority !
had to check also on update operation and in filter encoding string.


> 2. First declared namespace applies to all layers in config
>   Example (keeping only <layer> elements and only the "server"  
> attribute):
>   <tinyows>
>       <layer name="layer1" server="http://test.domain.net/"/>
>       <layer name="layer2" server="http://other.domain.net/"/>
>       <layer name="layer3" server="http://yet.another.domain.net/"/>
>   </tinyows>
>   Here, all three layers will appear to be in schema
> "http://test.domain.net/".
>   I noticed that by using test/unit_test with OWS_DEBUG=1 to
> understand why "xml isn't valid". Reading in the XML parser messages
> what fully-qualified element names it expects, I understood that it
> expected <http://test.domain.net/:layer2> and not
> <http://other.domain.net/:layer2>. I changed things around to check,
> and it seems that the first declared layer imposes its namespace to
> all others.
>

Ok,

>
> 3. $TINYOWS_CONFIG_FILE confused with /usr/local/...'s
>   This way of setting the config path is just the perfect way. With
> a SetEnv directive in the Apache virtual host, it's easy for each
> website to have it's own tinyows.xml. That's what I do and I needed
> it.
>   But I got a strange behaviour : the layers in the
> $TINYOWS_CONFIG_FILE file which are not also declared in the site
> config file were not taken into account. `tinyows --check` is OK
> though, but schema validation for Insert requests seems to read the
> other file. The DescribeFeatureType request is OK though. And
> unit/unit_test seems also to ignore the env variable for an Insert
> request.
>   I haven't yet checked the code for possible duplicate code related
> to config file loading.

Strange indeed as config file access is centralized and perform so
early in the process.



> ------------
>
> That's all for now!

Thanks for all theses detailled report !

>
> I'm sending this to the dev ML as I have no right to post them to the
> trac. How should I report them in the future?

You just have to create a new account on trac,
and then login with it to be able to create a new ticket
(or to write on WIKI)

> I can try to fix these issues in the code, but I need some basic
> explanations about how things are managed related to these issues.

You're welcome !
I can provide explanations to help you on this,

Don't hesitate to send patch

(Will not have time before tomorrow evening to look on the first one.)


--
Olivier

More information about the TinyOWS-dev mailing list