[TinyOWS-dev] A few bug reports...

Olivier Courtin olivier.courtin at oslandia.com
Thu Sep 30 15:31:12 EST 2010

On Sep 28, 2010, at 11:23 PM, Okapi wrote:


> First of all, thanks for all the work done on this project and letting
> me access my PostGIS features more easily that any other program would
> do!
> I appreciate hosting a light CGI for the WFS service, rather than a
> heavy Java solution consuming memory permanently.

Thanks :)

> I have a few bugs to report, which do not seem to appear in the Active
> tickets report. I'm using the code of revision 313.
> ------------
> 1. Strings not escaped properly in pg queries
>   TinyOWS fails to insert features containing a string with a quote!
>   wfs_insert_xml() inserts features into the DB through calling
> wfs_retrieve_value() to encode the string en enclose it within quotes.
> That function should use the PG native escape function rather than
> xmlEncodeSpecialChars().
>   I saw "#36 Prevent SQL Injections coming from the requets":
> indeed, if quotes are not escaped, the SQL injection is very easy to
> do. This bug, if confirmed, is a severe and urgent one!

Ok i agree this one is becoming now the priority !
had to check also on update operation and in filter encoding string.

> 2. First declared namespace applies to all layers in config
>   Example (keeping only <layer> elements and only the "server"  
> attribute):
>   <tinyows>
>       <layer name="layer1" server="http://test.domain.net/"/>
>       <layer name="layer2" server="http://other.domain.net/"/>
>       <layer name="layer3" server="http://yet.another.domain.net/"/>
>   </tinyows>
>   Here, all three layers will appear to be in schema
> "http://test.domain.net/".
>   I noticed that by using test/unit_test with OWS_DEBUG=1 to
> understand why "xml isn't valid". Reading in the XML parser messages
> what fully-qualified element names it expects, I understood that it
> expected <http://test.domain.net/:layer2> and not
> <http://other.domain.net/:layer2>. I changed things around to check,
> and it seems that the first declared layer imposes its namespace to
> all others.


> 3. $TINYOWS_CONFIG_FILE confused with /usr/local/...'s
>   This way of setting the config path is just the perfect way. With
> a SetEnv directive in the Apache virtual host, it's easy for each
> website to have it's own tinyows.xml. That's what I do and I needed
> it.
>   But I got a strange behaviour : the layers in the
> $TINYOWS_CONFIG_FILE file which are not also declared in the site
> config file were not taken into account. `tinyows --check` is OK
> though, but schema validation for Insert requests seems to read the
> other file. The DescribeFeatureType request is OK though. And
> unit/unit_test seems also to ignore the env variable for an Insert
> request.
>   I haven't yet checked the code for possible duplicate code related
> to config file loading.

Strange indeed as config file access is centralized and perform so
early in the process.

> ------------
> That's all for now!

Thanks for all theses detailled report !

> I'm sending this to the dev ML as I have no right to post them to the
> trac. How should I report them in the future?

You just have to create a new account on trac,
and then login with it to be able to create a new ticket
(or to write on WIKI)

> I can try to fix these issues in the code, but I need some basic
> explanations about how things are managed related to these issues.

You're welcome !
I can provide explanations to help you on this,

Don't hesitate to send patch

(Will not have time before tomorrow evening to look on the first one.)


More information about the TinyOWS-dev mailing list