Skip to content
Permalink
Browse files
Fix potential SQL Injection with postgis TIME filters (#4834)
  • Loading branch information
rouault authored and tbonfort committed Dec 31, 2013
1 parent e83a0cb commit 3a10f6b829297dae63492a8c63385044bc6953ed
Showing 1 changed file with 5 additions and 0 deletions.
@@ -3212,6 +3212,11 @@ int msPostGISLayerSetTimeFilter(layerObj *lp, const char *timestring, const char
if (!lp || !timestring || !timefield)
return MS_FALSE;

if( strchr(timestring,'\'') || strchr(timestring, '\\') ) {
msSetError(MS_MISCERR, "Invalid time filter.", "msPostGISLayerSetTimeFilter()");
return MS_FALSE;
}

/* discrete time */
if (strstr(timestring, ",") == NULL &&
strstr(timestring, "/") == NULL) { /* discrete time */

0 comments on commit 3a10f6b

Please sign in to comment.