Permalink
Browse files

Fix potential SQL Injection with postgis TIME filters (#4834)

  • Loading branch information...
1 parent e83a0cb commit 3a10f6b829297dae63492a8c63385044bc6953ed @rouault rouault committed with tbonfort Dec 31, 2013
Showing with 5 additions and 0 deletions.
  1. +5 −0 mappostgis.c
View
@@ -3212,6 +3212,11 @@ int msPostGISLayerSetTimeFilter(layerObj *lp, const char *timestring, const char
if (!lp || !timestring || !timefield)
return MS_FALSE;
+ if( strchr(timestring,'\'') || strchr(timestring, '\\') ) {
+ msSetError(MS_MISCERR, "Invalid time filter.", "msPostGISLayerSetTimeFilter()");
+ return MS_FALSE;
+ }
+
/* discrete time */
if (strstr(timestring, ",") == NULL &&
strstr(timestring, "/") == NULL) { /* discrete time */

0 comments on commit 3a10f6b

Please sign in to comment.