New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SQL injection on PostGIS layer filtering #19405
Comments
Author Name: Matthias Kuhn (@m-kuhn) You will have access to the user/password anyway when you are using QGIS to access data. With these credentials you will be able to perform malicious code on the database anyway as far as user permissions allow.
The meaning of this comment is not to say that this should not be fixed, but that with this fix security will most likely not be considerably improved.
|
Author Name: Giovanni Manghi (@gioman)
|
Author Name: Matthias Kuhn (@m-kuhn) Was there a reason to change the state to open? I think there are two possibilities to change the state from Feedback to something else:
Having something in the state Open with missing information does not help to fix it but makes it harder to close it due to lack of information.
|
Author Name: Giovanni Manghi (@gioman) Matthias Kuhn wrote:
I Matthias, I change the status because I have tested what is described and confirmed that it is indeed an issue. Then you (developers) can argue that it not worth fixing it, for the reasons you describe, and then close this ticket. Otherwise there is no need for further feedback but then the ticket should stay open, to remind us about it. |
Author Name: Jürgen Fischer (@jef-n) Giovanni Manghi wrote:
But the question was why this is an issue. You can only execute statements that you're allowed to and you can't execute anything more via sql injection as you can via db manager or any other connection using the available credentials.
|
Author Name: Giovanni Manghi (@gioman)
Yes I understand (and agree) 100%, but the point is that the feedback tag was not necessary because there is nothing more to add or to know. If the developers consider this an issue then it should be left open, if not then it should be closed as won't fix. |
Author Name: Jürgen Fischer (@jef-n) Giovanni Manghi wrote:
Um, but both questions Matthias raised were not answered. |
Author Name: Jürgen Fischer (@jef-n)
|
Author Name: Giovanni Manghi (@gioman) closing for lack of feedback.
|
Author Name: Carlos Ruiz (Carlos Ruiz)
Original Redmine Issue: 11071
Affected QGIS version: master
Redmine category:data_provider/postgis
Hi to all,
When the version 1.8 was released, I did some tests to inject SQL while filtering a PostGIS layer. I thought that the following releases will fix it, but this issue is still with 2.0, 2.2 and 2.4.
Using QGIS 2.4 I did the following:
I think security is an important issue when accessing to a database server, so I suggest to evaluate the SQL string with a regular expression which accepts just a query command (@select ... FROM ... WHERE ... LIMIT 0@ or @select ... FROM ... WHERE ...@) before testing or executing it, rejecting some DDL commands like @alter@, @drop@, @grant@, @revoke@ and @truncate@.
Cheers
The text was updated successfully, but these errors were encountered: