Hi Andrea,
I'd like to propose an enhancement to SQL views to allow the
option of SQL
escaping a string that has already passed regular expression
validation
before running the SQL.
This sounds like a backwards incompatible change, I believe it should
be a separate flag?
By the way, the regex validation is done in GeoTools as well
Intention is to add a checkbox to the UI to activate the option. If
enabled, all parameters that pass regexp validation will then also be
escaped. This lets user's pass parameters such as "o'shea" without
being able to accidentally shoot themselves in the head if the regexp
they are using to allow such strings lets in more then they were
expecting. I think by forcing escaping of quotes and backslashes, we
eliminate the most injection attacks that may have been accidentally
enabled by regexps that are too simplistic or lax.
Perhaps this option could be active by default for new layers and
disabled on existing ones?
I would be doing this extra step after the validation has been done.
Haven't had a good look yet but assumed it would be all in GeoServer, if
not then I'll add the corresponding code to GeoTools as well.
Cheers,
Geoff
------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
