Dear Ian, dear Andrea,
Thank you both for merging this fix so promptly. Is there the
possibility of backporting to 29.x? I've tested this on our GeoServer
2.23.1 and I think it is pretty straightforward.
Cheers,
Mike
On 14/06/2023 10:38, Andrea Aime wrote:
The layer names are vetted against
The layer names are vetted against the list of available feature types in
the store,
before being used, so sql injection, at least in GeoServer, should not be
possible (finger crossed).
Mind, the PR should address the main branch first, which might contain
slightly different SQL
than the one you'r
We always welcome PRs for open issues. This sounds as if there is a general
potential for SQL injection in the layer names that we should be protecting
against,
Ian
On Wed, 14 Jun 2023 at 10:09, Mike Bryant via GeoTools-Devel <
geotools-devel@lists.sourceforge.net> wrote:
> Dear all,
>
> https:/
Dear all,
https://osgeo-org.atlassian.net/browse/GEOT-6266
I've recently run into GEOT-6266 attempting to use the GeoPackage export
plugin with GeoServer 2.23.1, since some of our layer names contain hyphens.
Looking at the relevant code in GeoPackage.java this could be resolved
by quoting t
