GeoServer

Attributes containing apostrophes fail on insert/update using WFS-T

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 1.6.3
  • Fix Version/s: 1.6.4, 1.7.0-beta1
  • Component/s: WFS
  • Labels:
    None
  • Environment:
    Geoserver 1.6.3 WAR in tomcat on linux. Java 6.
  • Number of attachments :
    0

Description


Updating/inserting a record via WFS-T fails if a field contains content with an apostrophe. Details to follow.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Amos Hayes added a comment -

This looks like it is actually a security problem.

Strings that contain apostrophes are being passed to our PostGIS datastore as SQL without escaping properly. This opens the door for SQL injection attacks.

Show
Amos Hayes added a comment - This looks like it is actually a security problem. Strings that contain apostrophes are being passed to our PostGIS datastore as SQL without escaping properly. This opens the door for SQL injection attacks.
Hide
Permalink
Amos Hayes added a comment -

After talking with Andrea, this looks like a know issue in http://jira.codehaus.org/browse/GEOS-597

Show
Amos Hayes added a comment - After talking with Andrea, this looks like a know issue in http://jira.codehaus.org/browse/GEOS-597
Hide
Permalink
Gabriel Roldán added a comment -

Hi Amos, this should be fixed as per what property values escaping and injection through values concerns. Getting rid completely from the possibility of injection is a wider issue that comprises unrolling filters to prep statements. I'm going to tackle it asap though.

Show
Gabriel Roldán added a comment - Hi Amos, this should be fixed as per what property values escaping and injection through values concerns. Getting rid completely from the possibility of injection is a wider issue that comprises unrolling filters to prep statements. I'm going to tackle it asap though.
Hide
Permalink
Amos Hayes added a comment -

Here are some more details from JP.

You will find below the WFS-T trace obtained from Wireshark when our server (using geotools) performs a request to geoserver-1.6.0-RC3. The problem has to do with the first property named "statement". In it, an apostrophe is sent within a text node of the XML document, which is valid.

I do not have the corresponding SQL command issued to PostgreSQL, however in earlier tests I saw that the UPDATE was being done using a single quoted string, therefore it bails on the "s" following the apostrophe. Hence, the error message returned by geoserver.

If you require any more information, do not hesitate to contact me directly.

JP

<?xml version="1.0" encoding="UTF-8"?>
<Transaction xmlns:glsl="http://schemas.gcrc.carleton.ca/glsl" xmlns="http://www.opengis.net/wfs" xmlns:gml="http://www.opengis.net/gml" xmlns:ogc="http://www.opengis.net/ogc" version="1.0.0" service="WFS" lockAction="ALL"><Update typeName="glsl:artists"><Property><Name>statement</Name>
<Value>Test with apostrophe's in the middle</Value>
</Property>
<Property><Name>artist_name</Name>
<Value>Jeff Thomas</Value>
</Property>
<Property><Name>website</Name>
<Value>http://www.scoutingforindians.com/index.html</Value>
</Property>
<Property><Name>email</Name>
<Value></Value>
</Property>
<Property><Name>the_geom</Name>
<Value><gml:MultiPoint srsName="EPSG:4326"><gml:pointMember><gml:Point><gml:coordinates decimal="." cs="," ts=" ">-75.0,45.0</gml:coordinates>
</gml:Point>
</gml:pointMember>
</gml:MultiPoint>
</Value>
</Property>
<Property><Name>artist_id</Name>
<Value>1</Value>
</Property>
<Property><Name>long</Name>
<Value>0.0</Value>
</Property>
<Property><Name>biography</Name>
<Value>Jeff Thomas is an Iroquois/Onondaga member of the Six Nations Reserve, curator, photographer and cultural analyst now living in Ottawa who has works in major collections in Canada, the United States and Europe. Jeff's most recent solo shows were Jeff Thomas: Traces of Iroquois Medicine, Ontario Museum of Archaeology, London, Ontario, Portraits from the Dancing Grounds, McMichael Canadian Art Collection, in Toronto, Jeff Thomas: A Study of Indian-ness in Toronto, and Shelley Niro and Jeff Thomas: Contemporary Voices, Canada House, London, England. He has also been in many group shows, including Images of the American Indian at the Birchfield-Penney Art Center, American West. Compton Verney, Warwickshire, England and About Face: Native American Self-Portraits, Wheelwright Museum of the American Indian, Santa Fe, New Mexico. In 1998, he was awarded the Canada Council's prestigious Duke and Duchess of York Award in Photography.

His specialty is the exploration of historical cultural resources to bring voices, stories and perspectives into the present. In his curatorial projects, such as ......Where are the Children: Healing the Legacy of Residential Schools......, ......Emergence from the Shadow: First Peoples' Photographic Perspectives...... at the Canadian Museum of Civilization and ......Aboriginal Portraits at the National Archives of Canada......, Jeff has mined the archival vaults of non-Native visual and written records to recover lost elements of Aboriginal history.</Value>
</Property>
<Property><Name>lat</Name>
<Value>0.0</Value>
</Property>
<ogc:Filter><ogc:FeatureId fid="artists.1"/>
</ogc:Filter>
</Update>
</Transaction>

HTTP/1.1 200 OK
Date: Mon, 21 Apr 2008 18:23:54 GMT
Content-Type: text/xml
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Transfer-Encoding: chunked

2a9
<?xml version="1.0" encoding="UTF-8"?><wfs:WFS_TransactionResponse version="1.0.0" xmlns:wfs="http://www.opengis.net/wfs" xmlns:ogc="http://www.opengis.net/ogc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.opengis.net/wfs http://atlases.gcrc.carleton.ca:80/geoserver/schemas/wfs/1.0.0/WFS-transaction.xsd"><wfs:InsertResult><ogc:FeatureId fid="none"/></wfs:InsertResult> <wfs:TransactionResult> <wfs:Status> <wfs:FAILED/> </wfs:Status> <wfs:Message>org.geotools.data.DataSourceException: Some sort of database connection error: ERROR: syntax error at or near "s"</wfs:Message> </wfs:TransactionResult></wfs:WFS_TransactionResponse>
0

Show
Amos Hayes added a comment - Here are some more details from JP. You will find below the WFS-T trace obtained from Wireshark when our server (using geotools) performs a request to geoserver-1.6.0-RC3. The problem has to do with the first property named "statement". In it, an apostrophe is sent within a text node of the XML document, which is valid. I do not have the corresponding SQL command issued to PostgreSQL, however in earlier tests I saw that the UPDATE was being done using a single quoted string, therefore it bails on the "s" following the apostrophe. Hence, the error message returned by geoserver. If you require any more information, do not hesitate to contact me directly. JP <?xml version="1.0" encoding="UTF-8"?> <Transaction xmlns:glsl="http://schemas.gcrc.carleton.ca/glsl" xmlns="http://www.opengis.net/wfs" xmlns:gml="http://www.opengis.net/gml" xmlns:ogc="http://www.opengis.net/ogc" version="1.0.0" service="WFS" lockAction="ALL"><Update typeName="glsl:artists"><Property><Name>statement</Name> <Value>Test with apostrophe's in the middle</Value> </Property> <Property><Name>artist_name</Name> <Value>Jeff Thomas</Value> </Property> <Property><Name>website</Name> <Value>http://www.scoutingforindians.com/index.html</Value> </Property> <Property><Name>email</Name> <Value></Value> </Property> <Property><Name>the_geom</Name> <Value><gml:MultiPoint srsName="EPSG:4326"><gml:pointMember><gml:Point><gml:coordinates decimal="." cs="," ts=" ">-75.0,45.0</gml:coordinates> </gml:Point> </gml:pointMember> </gml:MultiPoint> </Value> </Property> <Property><Name>artist_id</Name> <Value>1</Value> </Property> <Property><Name>long</Name> <Value>0.0</Value> </Property> <Property><Name>biography</Name> <Value>Jeff Thomas is an Iroquois/Onondaga member of the Six Nations Reserve, curator, photographer and cultural analyst now living in Ottawa who has works in major collections in Canada, the United States and Europe. Jeff's most recent solo shows were Jeff Thomas: Traces of Iroquois Medicine, Ontario Museum of Archaeology, London, Ontario, Portraits from the Dancing Grounds, McMichael Canadian Art Collection, in Toronto, Jeff Thomas: A Study of Indian-ness in Toronto, and Shelley Niro and Jeff Thomas: Contemporary Voices, Canada House, London, England. He has also been in many group shows, including Images of the American Indian at the Birchfield-Penney Art Center, American West. Compton Verney, Warwickshire, England and About Face: Native American Self-Portraits, Wheelwright Museum of the American Indian, Santa Fe, New Mexico. In 1998, he was awarded the Canada Council's prestigious Duke and Duchess of York Award in Photography. His specialty is the exploration of historical cultural resources to bring voices, stories and perspectives into the present. In his curatorial projects, such as ......Where are the Children: Healing the Legacy of Residential Schools......, ......Emergence from the Shadow: First Peoples' Photographic Perspectives...... at the Canadian Museum of Civilization and ......Aboriginal Portraits at the National Archives of Canada......, Jeff has mined the archival vaults of non-Native visual and written records to recover lost elements of Aboriginal history.</Value> </Property> <Property><Name>lat</Name> <Value>0.0</Value> </Property> <ogc:Filter><ogc:FeatureId fid="artists.1"/> </ogc:Filter> </Update> </Transaction> HTTP/1.1 200 OK Date: Mon, 21 Apr 2008 18:23:54 GMT Content-Type: text/xml Keep-Alive: timeout=5, max=98 Connection: Keep-Alive Transfer-Encoding: chunked 2a9 <?xml version="1.0" encoding="UTF-8"?><wfs:WFS_TransactionResponse version="1.0.0" xmlns:wfs="http://www.opengis.net/wfs" xmlns:ogc="http://www.opengis.net/ogc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.opengis.net/wfs http://atlases.gcrc.carleton.ca:80/geoserver/schemas/wfs/1.0.0/WFS-transaction.xsd"><wfs:InsertResult><ogc:FeatureId fid="none"/></wfs:InsertResult> <wfs:TransactionResult> <wfs:Status> <wfs:FAILED/> </wfs:Status> <wfs:Message>org.geotools.data.DataSourceException: Some sort of database connection error: ERROR: syntax error at or near "s"</wfs:Message> </wfs:TransactionResult></wfs:WFS_TransactionResponse> 0
Hide
Permalink
Amos Hayes added a comment -

Also note that we tested on 1.6.3 as well and saw the same issues.

Will your fix catch this case Gabriel? Thanks very much for your work on this!

Show
Amos Hayes added a comment - Also note that we tested on 1.6.3 as well and saw the same issues. Will your fix catch this case Gabriel? Thanks very much for your work on this!
Hide
Permalink
Gabriel Roldán added a comment -

reopening since inserts are still vulnerable

Show
Gabriel Roldán added a comment - reopening since inserts are still vulnerable
Hide
Permalink
Gabriel Roldán added a comment -

closing since escaping is being handled well enough as per what this issue reports. The whole switch to prep statements, which implies creating them out of Filters too is a major change applicable only to trunk

Show
Gabriel Roldán added a comment - closing since escaping is being handled well enough as per what this issue reports. The whole switch to prep statements, which implies creating them out of Filters too is a major change applicable only to trunk
Hide
Permalink
Amos Hayes added a comment -

Here is a log of a failing UPDATE from last night's trunk build.

POST /geoserver-20080422/wfs? HTTP/1.1
Content-type: text/xml, application/xml
Accept-Encoding: gzip
User-Agent: Java/1.6.0_03
Host: 127.0.0.1:8080
Accept: text/html, image/gif, image/jpeg, ; q=.2, */; q=.2
Connection: keep-alive
Content-Length: 328

<?xml version="1.0" encoding="UTF-8"?>
<GetFeature xmlns="http://www.opengis.net/wfs" xmlns:gml="http://www.opengis.net/gml" xmlns:ogc="http://www.opengis.net/ogc" version="1.0.0" service="WFS" outputFormat="GML2"><Query typeName="topp:image"><ogc:Filter><ogc:FeatureId fid="image.33100"/>
</ogc:Filter>
</Query>
</GetFeature>

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Encoding: gzip
Content-Type: text/xml
Content-Length: 515
Date: Tue, 22 Apr 2008 14:05:07 GMT

...........T]..0..../....&..t..........1.b.l......_j..."U...wg....xy(...j..N..<J@K.).'..q5..e.7[..@.}
.MQ.t.'H.6.;.....i..@..2
.#.....k`.T..\U.m..s..Gh^..v...;X...L.N.......A.......Z....l.\.)\..E=d...{...Gso......m..Us.6..9.mNIH.......0.....S..=X.|.+k.....c.].a.Y....G..9....^]?.mI.S.Q.d#...`3...j.1{.Avw..w.@lm;=.......9........N.S..&..k.......(..Q.P..Eh:.....4.-...p.f.O*......{.>.........{(7P....[.%...t.{...Y.}]...x.z......F..yG.&.2..;..#..e..<.......}......'....8U..Z............<.|.t0.........._.`.o.C^D....
POST /geoserver-20080422/wfs? HTTP/1.1
Content-type: text/xml, application/xml
Accept-Encoding: gzip
User-Agent: Java/1.6.0_03
Host: 127.0.0.1:8080
Accept: text/html, image/gif, image/jpeg, ; q=.2, */; q=.2
Connection: keep-alive
Content-Length: 1007

<?xml version="1.0" encoding="UTF-8"?>
<Transaction xmlns:topp="http://www.openplans.org/topp" xmlns="http://www.opengis.net/wfs" xmlns:gml="http://www.opengis.net/gml" xmlns:ogc="http://www.opengis.net/ogc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.openplans.org/topp http://127.0.0.1:8080/geoserver-20080422/wfs?request=DescribeFeatureType&amp;SERVICE=WFS&amp;VERSION=1.0.0&amp;TYPENAME=topp:image" version="1.0.0" service="WFS" lockAction="ALL"><Update typeName="topp:image"><Property><Name>id</Name>
<Value>test2</Value>
</Property>
<Property><Name>dummy_geom</Name>
<Value><gml:MultiPoint srsName="EPSG:4326"><gml:pointMember><gml:Point><gml:coordinates decimal="." cs="," ts=" ">-106.26325652,69.5</gml:coordinates>
</gml:Point>
</gml:pointMember>
</gml:MultiPoint>
</Value>
</Property>
<Property><Name>imageURL</Name>
<Value>text with an ' apostophe</Value>
</Property>
<ogc:Filter><ogc:FeatureId fid="image.33100"/>
</ogc:Filter>
</Update>
</Transaction>

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Encoding: gzip
Content-Type: text/xml
Content-Length: 303
Date: Tue, 22 Apr 2008 14:05:07 GMT

P....S_1.BEGIN...B.....S_1.......E.........P....S_2.SELECT "oid", "id", "imageURL", encode(asBinary(force_2d("dummy_geom"),'XDR'),'base64') FROM "public"."image" WHERE ("oid" = '33100')...B....C_3.S_2.......D....PC_3.E....C_3.....S....1....2....C...
BEGIN.1....2....T...e..oid...`C..............id...`C..............imageURL...`C..............encode...................D...`......33100....test2....text with ' an apostophe...(AAAAAAQAAAABAAAAAAHAWpDZMeIAAEBRYAAAAAAAC....SELECT.Z....TC....SS_2.C....PC_3.P....S_4.SELECT "oid", "id", "imageURL", encode(asBinary(force_2d("dummy_geom"),'XDR'),'base64') FROM "public"."image" WHERE ("oid" = '33100')...B....C_5.S_4.......D....PC_5.E....C_5.....S....3....3....1....2....T...e..oid...`C..............id...`C..............imageURL...`C..............encode...................D...`......33100....test2....text with ' an apostophe...(AAAAAAQAAAABAAAAAAHAWpDZMeIAAEBRYAAAAAAAC....SELECT.Z....TC....SS_4.C....PC_5.P...n.SELECT AsText(force_2d(Envelope(Extent("dummy_geom")))) FROM "public"."image" WHERE ("oid" = '33100')...B............D....P.E.........S....3....3....1....2....T......astext...................D.........}POLYGON((-106.263259887695 69.5,-106.263259887695 69.5,-106.263252258301 69.5,-106.263252258301 69.5,-106.263259887695 69.5))C....SELECT.Z....TP.....UPDATE "public"."image" SET "id" = 'test2', "dummy_geom" = GeometryFromText('MULTIPOINT (-106.26325652 69.5)', 4326), "imageURL" = 'text with an ' apostophe' WHERE ("oid" = '33100');...B............D....P.E.........S....E...XSERROR.C42601.Msyntax error at or near "apostophe".P148.Fscan.l.L795.Rbase_yyerror..Z....EP....S_6.ROLLBACK...B.....S_6.......E.........S....1....2....C...
ROLLBACK.Z....I

Show
Amos Hayes added a comment - Here is a log of a failing UPDATE from last night's trunk build. POST /geoserver-20080422/wfs? HTTP/1.1 Content-type: text/xml, application/xml Accept-Encoding: gzip User-Agent: Java/1.6.0_03 Host: 127.0.0.1:8080 Accept: text/html, image/gif, image/jpeg, ; q=.2, */; q=.2 Connection: keep-alive Content-Length: 328 <?xml version="1.0" encoding="UTF-8"?> <GetFeature xmlns="http://www.opengis.net/wfs" xmlns:gml="http://www.opengis.net/gml" xmlns:ogc="http://www.opengis.net/ogc" version="1.0.0" service="WFS" outputFormat="GML2"><Query typeName="topp:image"><ogc:Filter><ogc:FeatureId fid="image.33100"/> </ogc:Filter> </Query> </GetFeature> HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Encoding: gzip Content-Type: text/xml Content-Length: 515 Date: Tue, 22 Apr 2008 14:05:07 GMT ...........T]..0..../....&..t..........1.b.l......_j..."U...wg....xy(...j..N..<J@K.).'..q5..e.7[..@.} .MQ.t.'H.6.;.....i..@..2 .#.....k`.T..\U.m..s..Gh^..v...;X...L.N.......A.......Z....l.\.)\..E=d...{...Gso......m..Us.6..9.mNIH.......0.....S..=X.|.+k.....c.].a.Y....G..9....^]?.mI.S.Q.d#...`3...j.1{.Avw..w.@lm;=.......9........N.S..&..k.......(..Q.P..Eh:.....4.-...p.f.O*......{.>.........{(7P....[.%...t.{...Y.}]...x.z......F..yG.&.2..;..#..e..<.......}......'....8U..Z............<.|.t0.........._.`.o.C^D.... POST /geoserver-20080422/wfs? HTTP/1.1 Content-type: text/xml, application/xml Accept-Encoding: gzip User-Agent: Java/1.6.0_03 Host: 127.0.0.1:8080 Accept: text/html, image/gif, image/jpeg, ; q=.2, */; q=.2 Connection: keep-alive Content-Length: 1007 <?xml version="1.0" encoding="UTF-8"?> <Transaction xmlns:topp="http://www.openplans.org/topp" xmlns="http://www.opengis.net/wfs" xmlns:gml="http://www.opengis.net/gml" xmlns:ogc="http://www.opengis.net/ogc" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.openplans.org/topp http://127.0.0.1:8080/geoserver-20080422/wfs?request=DescribeFeatureType&amp;SERVICE=WFS&amp;VERSION=1.0.0&amp;TYPENAME=topp:image" version="1.0.0" service="WFS" lockAction="ALL"><Update typeName="topp:image"><Property><Name>id</Name> <Value>test2</Value> </Property> <Property><Name>dummy_geom</Name> <Value><gml:MultiPoint srsName="EPSG:4326"><gml:pointMember><gml:Point><gml:coordinates decimal="." cs="," ts=" ">-106.26325652,69.5</gml:coordinates> </gml:Point> </gml:pointMember> </gml:MultiPoint> </Value> </Property> <Property><Name>imageURL</Name> <Value>text with an ' apostophe</Value> </Property> <ogc:Filter><ogc:FeatureId fid="image.33100"/> </ogc:Filter> </Update> </Transaction> HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Content-Encoding: gzip Content-Type: text/xml Content-Length: 303 Date: Tue, 22 Apr 2008 14:05:07 GMT P....S_1.BEGIN...B.....S_1.......E.........P....S_2.SELECT "oid", "id", "imageURL", encode(asBinary(force_2d("dummy_geom"),'XDR'),'base64') FROM "public"."image" WHERE ("oid" = '33100')...B....C_3.S_2.......D....PC_3.E....C_3.....S....1....2....C... BEGIN.1....2....T...e..oid...`C..............id...`C..............imageURL...`C..............encode...................D...`......33100....test2....text with ' an apostophe...(AAAAAAQAAAABAAAAAAHAWpDZMeIAAEBRYAAAAAAAC....SELECT.Z....TC....SS_2.C....PC_3.P....S_4.SELECT "oid", "id", "imageURL", encode(asBinary(force_2d("dummy_geom"),'XDR'),'base64') FROM "public"."image" WHERE ("oid" = '33100')...B....C_5.S_4.......D....PC_5.E....C_5.....S....3....3....1....2....T...e..oid...`C..............id...`C..............imageURL...`C..............encode...................D...`......33100....test2....text with ' an apostophe...(AAAAAAQAAAABAAAAAAHAWpDZMeIAAEBRYAAAAAAAC....SELECT.Z....TC....SS_4.C....PC_5.P...n.SELECT AsText(force_2d(Envelope(Extent("dummy_geom")))) FROM "public"."image" WHERE ("oid" = '33100')...B............D....P.E.........S....3....3....1....2....T......astext...................D.........}POLYGON((-106.263259887695 69.5,-106.263259887695 69.5,-106.263252258301 69.5,-106.263252258301 69.5,-106.263259887695 69.5))C....SELECT.Z....TP.....UPDATE "public"."image" SET "id" = 'test2', "dummy_geom" = GeometryFromText('MULTIPOINT (-106.26325652 69.5)', 4326), "imageURL" = 'text with an ' apostophe' WHERE ("oid" = '33100');...B............D....P.E.........S....E...XSERROR.C42601.Msyntax error at or near "apostophe".P148.Fscan.l.L795.Rbase_yyerror..Z....EP....S_6.ROLLBACK...B.....S_6.......E.........S....1....2....C... ROLLBACK.Z....I

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Codehaus. Try JIRA - bug tracking software for your team.