The layer names are vetted against the list of available feature types in the store, before being used, so sql injection, at least in GeoServer, should not be possible (finger crossed).
Mind, the PR should address the main branch first, which might contain slightly different SQL than the one you're seeing being used by GeoServer 2.23.1. Start your work there Cheers Andrea On Wed, Jun 14, 2023 at 11:29 AM Ian Turton <ijtur...@gmail.com> wrote: > We always welcome PRs for open issues. This sounds as if there is a > general potential for SQL injection in the layer names that we should be > protecting against, > > Ian > > On Wed, 14 Jun 2023 at 10:09, Mike Bryant via GeoTools-Devel < > geotools-devel@lists.sourceforge.net> wrote: > >> Dear all, >> >> https://osgeo-org.atlassian.net/browse/GEOT-6266 >> >> I've recently run into GEOT-6266 attempting to use the GeoPackage export >> plugin with GeoServer 2.23.1, since some of our layer names contain >> hyphens. >> >> Looking at the relevant code in GeoPackage.java this could be resolved >> by quoting the table name in a few SQLite queries, and I'm happy to >> submit PRs for this if that would be welcome. However, perhaps there are >> other considerations here I'm not aware of? I guess there's the larger >> issue of compatibility and best-practices for layer naming but I'm not >> sure where that is supposed to be enforced. >> >> Many thanks, >> Mike >> >> >> >> _______________________________________________ >> GeoTools-Devel mailing list >> GeoTools-Devel@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/geotools-devel >> > > > -- > Ian Turton > _______________________________________________ > GeoTools-Devel mailing list > GeoTools-Devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geotools-devel > -- Regards, Andrea Aime == GeoServer Professional Services from the experts! Visit http://bit.ly/gs-services-us for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions Group phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 https://www.geosolutionsgroup.com/ http://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail
_______________________________________________ GeoTools-Devel mailing list GeoTools-Devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geotools-devel
