#2252: wxGUI vector digitizer passing unescaped text to database
-----------------------------------------------------------------------------+
Reporter: marisn |
Owner: grass-dev@…
Type: defect |
Status: new
Priority: blocker |
Milestone: 7.0.0
Component: wxGUI |
Version: svn-trunk
Keywords: security, code injection, SQL injection, data loss, v.db.update |
Platform: Unspecified
Cpu: Unspecified |
-----------------------------------------------------------------------------+
Changes (by wenzeslaus):
* keywords: => security, code injection, SQL injection, data loss,
v.db.update
Comment:
I don't know (and quick look into source code haven't told me) what is
used in digitizer as a backend. Library, Python SQLite API or modules?
I've tried `v.db.update` with map `bridges` copied from `PERMANENT` and
this was OK:
{{{
v.db.update map=bridges column=LOCATION value="; drop database
important_data;" where=cat=1
}}}
String "; drop database important_data;" saved to the database.
But this:
{{{
v.db.update map=bridges column=LOCATION value="'; drop database
important_data; SELECT 1='1" where=cat=1
}}}
removed all the values from the column `LOCATION`. I'm not getting any
error messages.
--
Ticket URL: <http://trac.osgeo.org/grass/ticket/2252#comment:1>
GRASS GIS <http://grass.osgeo.org>
_______________________________________________
grass-dev mailing list
[email protected]
http://lists.osgeo.org/mailman/listinfo/grass-dev
