[Geoserver-devel] [jira] (GEOS-5792) Enhancement to sql views - basic SQL parameter escaping

Geoff Williams created ImprovementGEOS-5792
Enhancement to sql views - basic SQL parameter escaping

Issue Type:

ImprovementImprovement

Assignee:

Andrea Aime

Components:

UI

Created:

28/Apr/13 10:56 PM

Description:

I’ve coded and enhancement to the SQL views system that allows supplied parameters to be escaped to prevent injection attacks caused by breaking out of quotes and/or supplying other special characters.

This is really useful when you want to allow quotes in parameters and/or avoid specifying each special character to allow in the validation regexp. Doing so in the current system could easily allow in more then the users intends and potentially allow sql injection.

This feature adds the following behaviour (in GeoTools):

  1. Double all single and double quotes to prevent injection attacks
  2. Strip all backslashes from the input to prevent control characters being used

To enable SQL escaping on existing sql views:
Tick “Escape special SQL characters” on the edit sql view page and save your changes.

To enable SQL escaping on new sql views:
The above checkbox is enabled by default for new layers. Uncheck the option if you don’t want to use it.

Note:
This fix works nicely for escaping individual small parameters. eg something like:


WHERE
surname = ‘%surname%’

If you are passing large amounts of SQL such as whole WHERE clauses (you really shouldn’t be doing this…) then you will likely find that this feature breaks your sql view by escaping too many quotes – but your not doing things like this anyway, are you?

See pull requests:
https://github.com/geoserver/geoserver/pull/221
https://github.com/geotools/geotools/pull/186

Environment:

all

Fix Versions:

2.4-beta

Project:

GeoServer

Priority:

MinorMinor

Reporter:

Geoff Williams

This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: [http://www.atlassian.com/software/jira](http://www.atlassian.com/software/jira)