<br>Assefa,<br><br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> Sorry for the delay on this one. I committed a 'partial' fix allowing to<br>
detect if a value passed is numeric (r134)</blockquote><div><br>Ok thanks for this ! <br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I was not sure exactly what should be done to prevent any SQL injection or<br>
even if it has to be done only here . Here is an interesting read about<br>
this <a href="http://www.securityfocus.com/infocus/1768" target="_blank">http://www.securityfocus.com/infocus/1768</a>.</blockquote><div><br>Yeap,<br><br>All the controls and checks should be done for common parameter in ows_request.c<br>
<br>Filter Encoding is a specific one, as we could only check at this stage that it<br>validate against FE Schema. And we use some of the FE content to build SQL<br>query. So there's a specific risk there.<br><br></div>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> Maybe we should close this bug </blockquote><div><br>If the behaviour is Ok for you, just do<br>
</div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">and open a specific bug on the SQL injection?</blockquote><div><br>Yes we could, right now i'm still focus on OGC WFS unit tests,<br>
but we will need more units tests to check:<br>- Security aspect<br>- Tinyows configuration directive<br>- Other output format thant GML<br>- ...<br><br>--<br>Olivier<br></div></div>