GeoServer

Uploading a Shapefile to Postgres with special chars in name provokes SQL error

Details

  • Type: Bug Bug
  • Status: Open Open
  • Priority: Major Major
  • Resolution: Unresolved
  • Affects Version/s: None
  • Fix Version/s: None
  • Component/s: None
  • Labels:
    None
  • Number of attachments :
    2

Description

Uploading the attached layer through the rest api fails with a SQL parsing error. I think there's potential for a SQL injection attack here.

  2. Text File
    geoserver.log
    23/Apr/12 10:55 AM
    27 kB
    David Winslow

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Andrea Aime added a comment -

I guess the code that's failing is the call to create schema?
Hmm... looking at the code we are already wrapping the name in ' ', but that's exactly why it's happening.
Now... what to do about this? Just refuse to create the table? Or can we escape the ' and let it go?

Show
Andrea Aime added a comment - I guess the code that's failing is the call to create schema? Hmm... looking at the code we are already wrapping the name in ' ', but that's exactly why it's happening. Now... what to do about this? Just refuse to create the table? Or can we escape the ' and let it go?
Hide
Permalink
David Winslow added a comment -

I just re-ran my test script after setting the log level in GeoServer to "GEOTOOLS_DEVELOPER_LOGGING". I'm attaching the log file, but it appears that this is where the error is happening since this is the last SQL statement logged before the exception.

DELETE FROM GEOMETRY_COLUMNS WHERE f_table_catalog='' AND f_table_schema = 'public' AND f_table_name = ''_populated_places' AND f_geometry_column = 'the_geom'

I think we could just use a PreparedStatement instead of constructing SQL directly to avoid this specific issue, but for the table name I guess that won't work. Fortunately, it looks like the rules for escaping table names are pretty simple: just double any double-quotes, all other characters will be passed through verbatim.

Show
David Winslow added a comment - I just re-ran my test script after setting the log level in GeoServer to "GEOTOOLS_DEVELOPER_LOGGING". I'm attaching the log file, but it appears that this is where the error is happening since this is the last SQL statement logged before the exception. DELETE FROM GEOMETRY_COLUMNS WHERE f_table_catalog='' AND f_table_schema = ' public ' AND f_table_name = ''_populated_places' AND f_geometry_column = 'the_geom' I think we could just use a PreparedStatement instead of constructing SQL directly to avoid this specific issue, but for the table name I guess that won't work. Fortunately, it looks like the rules for escaping table names are pretty simple: just double any double-quotes, all other characters will be passed through verbatim.
Hide
Permalink
David Winslow added a comment -

log file from test run with GEOTOOLS_DEVELOPER_LOGGING

Show
David Winslow added a comment - log file from test run with GEOTOOLS_DEVELOPER_LOGGING
Hide
Permalink
David Winslow added a comment -

For GeoServer it seems like most problems we run into with "weird" table names will also correspond to invalid XML tag names (leading to invalid GML output, etc.) so maybe we could just enforce some validation before trying to create the table.

Show
David Winslow added a comment - For GeoServer it seems like most problems we run into with "weird" table names will also correspond to invalid XML tag names (leading to invalid GML output, etc.) so maybe we could just enforce some validation before trying to create the table.

People

  • Assignee:
    Andrea Aime
    Reporter:
    David Winslow
Vote (0)
Watch (0)

Dates

  • Created:
    Updated: