Permalink
Browse files

Fix potential SQL Injection with postgis TIME filters (#4834)

  • Loading branch information...
rouault authored and tbonfort committed Dec 31, 2013
1 parent e83a0cb commit 3a10f6b829297dae63492a8c63385044bc6953ed
Showing with 5 additions and 0 deletions.
  1. +5 −0 mappostgis.c
View
@@ -3212,6 +3212,11 @@ int msPostGISLayerSetTimeFilter(layerObj *lp, const char *timestring, const char
if (!lp || !timestring || !timefield)
return MS_FALSE;
if( strchr(timestring,'\'') || strchr(timestring, '\\') ) {
msSetError(MS_MISCERR, "Invalid time filter.", "msPostGISLayerSetTimeFilter()");
return MS_FALSE;
}
/* discrete time */
if (strstr(timestring, ",") == NULL &&
strstr(timestring, "/") == NULL) { /* discrete time */

0 comments on commit 3a10f6b

Please sign in to comment.