~ubuntu-branches/ubuntu/precise/mapserver/precise-security
» Revision
28
: debian/patches/wfs_sql_injection.patch
« back to all changes in this revision
Viewing changes to debian/patches/wfs_sql_injection.patch
- browse files at revision 28
- compare with another revision
- download diff
- download tarball
- view history from revision 28
- Committer: Package Import Robot
- Author(s): Jamie Strandboge
- Date: 2011-09-09 09:46:09 UTC
- Revision ID: package-import@ubuntu.com-20110909094609-iituzvjk5w0v57w2
Tags: 5.6.6-1.1ubuntu1
* SECURITY UPDATE: SQL Injection and buffer overflows (LP: #809133)
- debian/patches/wfs_sql_injection.dpatch: Fix possible WFS SQL injection
and buffer overflows in OGC Filter Encoding support. Patch from Natty
refreshed for Oneiric.
- http://trac.osgeo.org/mapserver/ticket/3874
- http://trac.osgeo.org/mapserver/ticket/3903]
- CVE-2011-2703, CVE-2011-2704
- debian/patches/wfs_sql_injection.dpatch: Fix possible WFS SQL injection
and buffer overflows in OGC Filter Encoding support. Patch from Natty
refreshed for Oneiric.
- http://trac.osgeo.org/mapserver/ticket/3874
- http://trac.osgeo.org/mapserver/ticket/3903]
- CVE-2011-2703, CVE-2011-2704
- files added:
- .pc/debian-changes-5.6.6-1.1ubuntu1
- .pc/wfs_sql_injection.patch
- files modified:
- .pc/applied-patches
added
removed
debian/patches/wfs_sql_injection.patch
1
Author: aboudreault@mapgears.com
2
Bug: http://trac.osgeo.org/mapserver/ticket/3874
3
Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/mapserver/+bug/809133
4
Description: Fix possible WFS sql injection
5
Note: updated to include http://trac.osgeo.org/mapserver/changeset/11914 and
6
fix the warning introduced in msOGREscapeSQLParam -- sbeattie)
7
8
Index: mapserver-5.6.6/maplayer.c
9
===================================================================
10
--- mapserver-5.6.6.orig/maplayer.c 2011-09-09 09:43:52.000000000 -0500
11
+++ mapserver-5.6.6/maplayer.c 2011-09-09 09:44:02.000000000 -0500
12
@@ -1051,6 +1051,85 @@
13
return MS_FAILURE;
14
}
15
16
+/************************************************************************/
17
+/* LayerDefaultEscapeSQLParam */
18
+/* */
19
+/* Default function used to escape strings and avoid sql */
20
+/* injection. Specific drivers should redefine if an escaping */
21
+/* function is available in the driver. */
22
+/************************************************************************/
23
+char *LayerDefaultEscapeSQLParam(layerObj *layer, const char* pszString)
24
+{
25
+ char *pszEscapedStr=NULL;
26
+ if (pszString)
27
+ {
28
+ int nSrcLen;
29
+ char c;
30
+ int i=0, j=0;
31
+ nSrcLen = (int)strlen(pszString);
32
+ pszEscapedStr = (char*) malloc( 2 * nSrcLen + 1);
33
+ for(i = 0, j = 0; i < nSrcLen; i++)
34
+ {
35
+ c = pszString[i];
36
+ if (c == '\'')
37
+ {
38
+ pszEscapedStr[j++] = '\'';
39
+ pszEscapedStr[j++] = '\'';
40
+ }
41
+ else if (c == '\\')
42
+ {
43
+ pszEscapedStr[j++] = '\\';
44
+ pszEscapedStr[j++] = '\\';
45
+ }
46
+ else
47
+ pszEscapedStr[j++] = c;
48
+ }
49
+ pszEscapedStr[j] = 0;
50
+ }
51
+ return pszEscapedStr;
52
+}
53
+
54
+/************************************************************************/
55
+/* LayerDefaultEscapePropertyName */
56
+/* */
57
+/* Return the property name in a properly escaped and quoted form. */
58
+/************************************************************************/
59
+char *LayerDefaultEscapePropertyName(layerObj *layer, const char* pszString)
60
+{
61
+ char* pszEscapedStr=NULL;
62
+ int i, j = 0;
63
+
64
+ if (layer && pszString && strlen(pszString) > 0)
65
+ {
66
+ int nLength = strlen(pszString);
67
+
68
+ pszEscapedStr = (char*) malloc( 1 + 2 * nLength + 1 + 1);
69
+ pszEscapedStr[j++] = '"';
70
+
71
+ for (i=0; i<nLength; i++)
72
+ {
73
+ char c = pszString[i];
74
+ if (c == '"')
75
+ {
76
+ pszEscapedStr[j++] = '"';
77
+ pszEscapedStr[j++] ='"';
78
+ }
79
+ else if (c == '\\')
80
+ {
81
+ pszEscapedStr[j++] = '\\';
82
+ pszEscapedStr[j++] = '\\';
83
+ }
84
+ else
85
+ pszEscapedStr[j++] = c;
86
+ }
87
+ pszEscapedStr[j++] = '"';
88
+ pszEscapedStr[j++] = 0;
89
+
90
+ }
91
+ return pszEscapedStr;
92
+}
93
+
94
+
95
/*
96
* msConnectLayer
97
*
98
@@ -1108,6 +1187,10 @@
99
100
vtable->LayerGetNumFeatures = LayerDefaultGetNumFeatures;
101
102
+ vtable->LayerEscapeSQLParam = LayerDefaultEscapeSQLParam;
103
+
104
+ vtable->LayerEscapePropertyName = LayerDefaultEscapePropertyName;
105
+
106
return MS_SUCCESS;
107
}
108
109
@@ -1280,6 +1363,32 @@
110
return i;
111
}
112
113
+
114
+
115
+/*
116
+Returns an escaped string
117
+*/
118
+char *msLayerEscapeSQLParam(layerObj *layer, const char*pszString)
119
+{
120
+ if ( ! layer->vtable) {
121
+ int rv = msInitializeVirtualTable(layer);
122
+ if (rv != MS_SUCCESS)
123
+ return "";
124
+ }
125
+ return layer->vtable->LayerEscapeSQLParam(layer, pszString);
126
+}
127
+
128
+char *msLayerEscapePropertyName(layerObj *layer, const char*pszString)
129
+{
130
+ if ( ! layer->vtable) {
131
+ int rv = msInitializeVirtualTable(layer);
132
+ if (rv != MS_SUCCESS)
133
+ return "";
134
+ }
135
+ return layer->vtable->LayerEscapePropertyName(layer, pszString);
136
+}
137
+
138
+
139
int
140
msINLINELayerInitializeVirtualTable(layerObj *layer)
141
{
142
@@ -1312,5 +1421,7 @@
143
/* layer->vtable->LayerCreateItems, use default */
144
layer->vtable->LayerGetNumFeatures = msINLINELayerGetNumFeatures;
145
146
+ /*layer->vtable->LayerEscapeSQLParam, use default*/
147
+ /*layer->vtable->LayerEscapePropertyName, use default*/
148
return MS_SUCCESS;
149
}
150
Index: mapserver-5.6.6/mapogcfilter.c
151
===================================================================
152
--- mapserver-5.6.6.orig/mapogcfilter.c 2011-09-09 09:43:52.000000000 -0500
153
+++ mapserver-5.6.6/mapogcfilter.c 2011-09-09 09:44:02.000000000 -0500
154
@@ -168,7 +168,7 @@
155
if (tokens && nTokens == 2)
156
{
157
char szTmp[32];
158
- sprintf(szTmp, "init=epsg:%s",tokens[1]);
159
+ snprintf(szTmp, sizeof(szTmp), "init=epsg:%s",tokens[1]);
160
msInitProjection(psProj);
161
if (msLoadProjectionString(psProj, szTmp) == 0)
162
nStatus = MS_TRUE;
163
@@ -193,7 +193,7 @@
164
if (nEpsgTmp > 0)
165
{
166
char szTmp[32];
167
- sprintf(szTmp, "init=epsg:%d",nEpsgTmp);
168
+ snprintf(szTmp, sizeof(szTmp), "init=epsg:%d",nEpsgTmp);
169
msInitProjection(psProj);
170
if (msLoadProjectionString(psProj, szTmp) == 0)
171
nStatus = MS_TRUE;
172
@@ -989,7 +989,7 @@
173
if (tokens && nTokens == 2)
174
{
175
char szTmp[32];
176
- sprintf(szTmp, "init=epsg:%s",tokens[1]);
177
+ snprintf(szTmp, sizeof(szTmp), "init=epsg:%s",tokens[1]);
178
msInitProjection(&sProjTmp);
179
if (msLoadProjectionString(&sProjTmp, szTmp) == 0)
180
msProjectRect(&sProjTmp, &map->projection, &sQueryRect);
181
@@ -1014,7 +1014,7 @@
182
if (nEpsgTmp > 0)
183
{
184
char szTmp[32];
185
- sprintf(szTmp, "init=epsg:%d",nEpsgTmp);
186
+ snprintf(szTmp, sizeof(szTmp), "init=epsg:%d",nEpsgTmp);
187
msInitProjection(&sProjTmp);
188
if (msLoadProjectionString(&sProjTmp, szTmp) == 0)
189
msProjectRect(&sProjTmp, &map->projection, &sQueryRect);
190
@@ -2780,9 +2780,9 @@
191
bString = 1;
192
}
193
if (bString)
194
- sprintf(szTmp, "('[%s]' = '%s')" , pszAttribute, tokens[i]);
195
+ snprintf(szTmp, sizeof(szTmp), "('[%s]' = '%s')" , pszAttribute, tokens[i]);
196
else
197
- sprintf(szTmp, "([%s] = %s)" , pszAttribute, tokens[i]);
198
+ snprintf(szTmp, sizeof(szTmp), "([%s] = %s)" , pszAttribute, tokens[i]);
199
200
if (pszExpression != NULL)
201
pszExpression = msStringConcatenate(pszExpression, " OR ");
202
@@ -2847,8 +2847,7 @@
203
"PropertyIsLike") == 0)
204
{
205
pszExpression =
206
- FLTGetIsLikeComparisonSQLExpression(psFilterNode,
207
- connectiontype);
208
+ FLTGetIsLikeComparisonSQLExpression(psFilterNode, lp);
209
}
210
}
211
}
212
@@ -2885,6 +2884,7 @@
213
bString = 0;
214
if (tokens && nTokens > 0)
215
{
216
+ char *pszEscapedStr = NULL;
217
for (i=0; i<nTokens; i++)
218
{
219
if (i == 0)
220
@@ -2893,10 +2893,14 @@
221
if (FLTIsNumeric(pszTmp) == MS_FALSE)
222
bString = 1;
223
}
224
+ pszEscapedStr = msLayerEscapeSQLParam(lp, tokens[i]);
225
if (bString)
226
- sprintf(szTmp, "(%s = '%s')" , pszAttribute, tokens[i]);
227
+ snprintf(szTmp, sizeof(szTmp), "(%s = '%s')" , pszAttribute, pszEscapedStr);
228
else
229
- sprintf(szTmp, "(%s = %s)" , pszAttribute, tokens[i]);
230
+ snprintf(szTmp, sizeof(szTmp), "(%s = %s)" , pszAttribute, pszEscapedStr);
231
+
232
+ msFree(pszEscapedStr);
233
+ pszEscapedStr=NULL;
234
235
if (pszExpression != NULL)
236
pszExpression = msStringConcatenate(pszExpression, " OR ");
237
@@ -3181,6 +3185,7 @@
238
/************************************************************************/
239
char *FLTGetBinaryComparisonExpresssion(FilterEncodingNode *psFilterNode, layerObj *lp)
240
{
241
+ const size_t bufferSize = 1024;
242
char szBuffer[1024];
243
int bString=0;
244
char szTmp[256];
245
@@ -3210,16 +3215,16 @@
246
247
248
if (bString)
249
- strcat(szBuffer, " (\"[");
250
+ strlcat(szBuffer, " (\"[", bufferSize);
251
else
252
- strcat(szBuffer, " ([");
253
+ strlcat(szBuffer, " ([", bufferSize);
254
/* attribute */
255
256
- strcat(szBuffer, psFilterNode->psLeftNode->pszValue);
257
+ strlcat(szBuffer, psFilterNode->psLeftNode->pszValue, bufferSize);
258
if (bString)
259
- strcat(szBuffer, "]\" ");
260
+ strlcat(szBuffer, "]\" ", bufferSize);
261
else
262
- strcat(szBuffer, "] ");
263
+ strlcat(szBuffer, "] ", bufferSize);
264
265
266
/* logical operator */
267
@@ -3230,40 +3235,40 @@
268
if (psFilterNode->psRightNode->pOther &&
269
(*(int *)psFilterNode->psRightNode->pOther) == 1)
270
{
271
- strcat(szBuffer, "IEQ");
272
+ strlcat(szBuffer, "IEQ", bufferSize);
273
}
274
else
275
- strcat(szBuffer, "=");
276
+ strlcat(szBuffer, "=",bufferSize);
277
}
278
else if (strcasecmp(psFilterNode->pszValue,
279
"PropertyIsNotEqualTo") == 0)
280
- strcat(szBuffer, "!=");
281
+ strlcat(szBuffer, "!=", bufferSize);
282
else if (strcasecmp(psFilterNode->pszValue,
283
"PropertyIsLessThan") == 0)
284
- strcat(szBuffer, "<");
285
+ strlcat(szBuffer, "<", bufferSize);
286
else if (strcasecmp(psFilterNode->pszValue,
287
"PropertyIsGreaterThan") == 0)
288
- strcat(szBuffer, ">");
289
+ strlcat(szBuffer, ">", bufferSize);
290
else if (strcasecmp(psFilterNode->pszValue,
291
"PropertyIsLessThanOrEqualTo") == 0)
292
- strcat(szBuffer, "<=");
293
+ strlcat(szBuffer, "<=", bufferSize);
294
else if (strcasecmp(psFilterNode->pszValue,
295
"PropertyIsGreaterThanOrEqualTo") == 0)
296
- strcat(szBuffer, ">=");
297
+ strlcat(szBuffer, ">=", bufferSize);
298
299
- strcat(szBuffer, " ");
300
+ strlcat(szBuffer, " ", bufferSize);
301
302
/* value */
303
if (bString)
304
- strcat(szBuffer, "\"");
305
+ strlcat(szBuffer, "\"", bufferSize);
306
307
if (psFilterNode->psRightNode->pszValue)
308
- strcat(szBuffer, psFilterNode->psRightNode->pszValue);
309
+ strlcat(szBuffer, psFilterNode->psRightNode->pszValue,bufferSize);
310
311
if (bString)
312
- strcat(szBuffer, "\"");
313
+ strlcat(szBuffer, "\"",bufferSize);
314
315
- strcat(szBuffer, ") ");
316
+ strlcat(szBuffer, ") ",bufferSize);
317
318
return strdup(szBuffer);
319
}
320
@@ -3278,9 +3283,11 @@
321
char *FLTGetBinaryComparisonSQLExpresssion(FilterEncodingNode *psFilterNode,
322
layerObj *lp)
323
{
324
+ const size_t bufferSize = 1024;
325
char szBuffer[1024];
326
int bString=0;
327
char szTmp[256];
328
+ char* pszEscapedStr = NULL;
329
330
szBuffer[0] = '\0';
331
if (!psFilterNode || !
332
@@ -3309,7 +3316,9 @@
333
334
335
/*opening bracket*/
336
- strcat(szBuffer, " (");
337
+ strlcat(szBuffer, " (", bufferSize);
338
+
339
+ pszEscapedStr = msLayerEscapePropertyName(lp, psFilterNode->psLeftNode->pszValue);
340
341
/* attribute */
342
/*case insensitive set ? */
343
@@ -3319,35 +3328,37 @@
344
psFilterNode->psRightNode->pOther &&
345
(*(int *)psFilterNode->psRightNode->pOther) == 1)
346
{
347
- sprintf(szTmp, "lower(%s) ", psFilterNode->psLeftNode->pszValue);
348
- strcat(szBuffer, szTmp);
349
+ snprintf(szTmp, sizeof(szTmp), "lower(%s) ", pszEscapedStr);
350
+ strlcat(szBuffer, szTmp, bufferSize);
351
}
352
else
353
- strcat(szBuffer, psFilterNode->psLeftNode->pszValue);
354
+ strlcat(szBuffer, pszEscapedStr, bufferSize);
355
356
+ msFree(pszEscapedStr);
357
+ pszEscapedStr = NULL;
358
359
360
/* logical operator */
361
- if (strcasecmp(psFilterNode->pszValue,
362
+ if (strcasecmp(psFilterNode->pszValue,
363
"PropertyIsEqualTo") == 0)
364
- strcat(szBuffer, "=");
365
+ strlcat(szBuffer, "=", bufferSize);
366
else if (strcasecmp(psFilterNode->pszValue,
367
"PropertyIsNotEqualTo") == 0)
368
- strcat(szBuffer, "<>");
369
+ strlcat(szBuffer, "<>", bufferSize);
370
else if (strcasecmp(psFilterNode->pszValue,
371
"PropertyIsLessThan") == 0)
372
- strcat(szBuffer, "<");
373
+ strlcat(szBuffer, "<", bufferSize);
374
else if (strcasecmp(psFilterNode->pszValue,
375
"PropertyIsGreaterThan") == 0)
376
- strcat(szBuffer, ">");
377
+ strlcat(szBuffer, ">", bufferSize);
378
else if (strcasecmp(psFilterNode->pszValue,
379
"PropertyIsLessThanOrEqualTo") == 0)
380
- strcat(szBuffer, "<=");
381
+ strlcat(szBuffer, "<=", bufferSize);
382
else if (strcasecmp(psFilterNode->pszValue,
383
"PropertyIsGreaterThanOrEqualTo") == 0)
384
- strcat(szBuffer, ">=");
385
+ strlcat(szBuffer, ">=", bufferSize);
386
387
- strcat(szBuffer, " ");
388
+ strlcat(szBuffer, " ", bufferSize);
389
390
/* value */
391
392
@@ -3358,23 +3369,33 @@
393
psFilterNode->psRightNode->pOther &&
394
(*(int *)psFilterNode->psRightNode->pOther) == 1)
395
{
396
- sprintf(szTmp, "lower('%s') ", psFilterNode->psRightNode->pszValue);
397
- strcat(szBuffer, szTmp);
398
+ snprintf(szTmp, sizeof(szTmp), "lower('%s') ", psFilterNode->psRightNode->pszValue);
399
+ strlcat(szBuffer, szTmp, bufferSize);
400
}
401
else
402
{
403
if (bString)
404
- strcat(szBuffer, "'");
405
+ strlcat(szBuffer, "'", bufferSize);
406
407
if (psFilterNode->psRightNode->pszValue)
408
- strcat(szBuffer, psFilterNode->psRightNode->pszValue);
409
+ {
410
+ if (bString)
411
+ {
412
+ char* pszEscapedStr;
413
+ pszEscapedStr = msLayerEscapeSQLParam(lp, psFilterNode->psRightNode->pszValue);
414
+ strlcat(szBuffer, pszEscapedStr, bufferSize);
415
+ msFree(pszEscapedStr);
416
+ pszEscapedStr=NULL;
417
+ }
418
+ else
419
+ strlcat(szBuffer, psFilterNode->psRightNode->pszValue, bufferSize);
420
+ }
421
422
if (bString)
423
- strcat(szBuffer, "'");
424
-
425
+ strlcat(szBuffer, "'", bufferSize);
426
}
427
/*closing bracket*/
428
- strcat(szBuffer, ") ");
429
+ strlcat(szBuffer, ") ", bufferSize);
430
431
return strdup(szBuffer);
432
}
433
@@ -3388,12 +3409,13 @@
434
char *FLTGetIsBetweenComparisonSQLExpresssion(FilterEncodingNode *psFilterNode,
435
layerObj *lp)
436
{
437
+ const size_t bufferSize = 1024;
438
char szBuffer[1024];
439
char **aszBounds = NULL;
440
int nBounds = 0;
441
int bString=0;
442
char szTmp[256];
443
-
444
+ char* pszEscapedStr;
445
446
szBuffer[0] = '\0';
447
if (!psFilterNode ||
448
@@ -3437,32 +3459,46 @@
449
/* build expresssion. */
450
/* -------------------------------------------------------------------- */
451
/*opening paranthesis */
452
- strcat(szBuffer, " (");
453
+ strlcat(szBuffer, " (",bufferSize);
454
455
/* attribute */
456
- strcat(szBuffer, psFilterNode->psLeftNode->pszValue);
457
+ pszEscapedStr = msLayerEscapePropertyName(lp, psFilterNode->psLeftNode->pszValue);
458
+
459
+ strlcat(szBuffer, pszEscapedStr, bufferSize);
460
+ msFree(pszEscapedStr);
461
+ pszEscapedStr = NULL;
462
463
/*between*/
464
- strcat(szBuffer, " BETWEEN ");
465
+ strlcat(szBuffer, " BETWEEN ",bufferSize);
466
467
/*bound 1*/
468
if (bString)
469
- strcat(szBuffer,"'");
470
- strcat(szBuffer, aszBounds[0]);
471
+ strlcat(szBuffer,"'",bufferSize);
472
+
473
+ pszEscapedStr = msLayerEscapeSQLParam( lp, aszBounds[0]);
474
+ strlcat(szBuffer, pszEscapedStr, bufferSize);
475
+ msFree(pszEscapedStr);
476
+ pszEscapedStr=NULL;
477
+
478
if (bString)
479
- strcat(szBuffer,"'");
480
+ strlcat(szBuffer,"'",bufferSize);
481
482
- strcat(szBuffer, " AND ");
483
+ strlcat(szBuffer, " AND ",bufferSize);
484
485
/*bound 2*/
486
if (bString)
487
- strcat(szBuffer, "'");
488
- strcat(szBuffer, aszBounds[1]);
489
+ strlcat(szBuffer, "'",bufferSize);
490
+
491
+ pszEscapedStr = msLayerEscapeSQLParam( lp, aszBounds[1]);
492
+ strlcat(szBuffer, pszEscapedStr, bufferSize);
493
+ msFree(pszEscapedStr);
494
+ pszEscapedStr=NULL;
495
+
496
if (bString)
497
- strcat(szBuffer,"'");
498
+ strlcat(szBuffer,"'",bufferSize);
499
500
/*closing paranthesis*/
501
- strcat(szBuffer, ")");
502
+ strlcat(szBuffer, ")",bufferSize);
503
504
505
return strdup(szBuffer);
506
@@ -3476,6 +3512,7 @@
507
char *FLTGetIsBetweenComparisonExpresssion(FilterEncodingNode *psFilterNode,
508
layerObj *lp)
509
{
510
+ const size_t bufferSize = 1024;
511
char szBuffer[1024];
512
char **aszBounds = NULL;
513
int nBounds = 0;
514
@@ -3496,7 +3533,10 @@
515
/* -------------------------------------------------------------------- */
516
aszBounds = msStringSplit(psFilterNode->psRightNode->pszValue, ';', &nBounds);
517
if (nBounds != 2)
518
+ {
519
+ msFreeCharArray(aszBounds, nBounds);
520
return NULL;
521
+ }
522
/* -------------------------------------------------------------------- */
523
/* check if the value is a numeric value or alphanumeric. If it */
524
/* is alphanumeric, add quotes around attribute and values. */
525
@@ -3525,50 +3565,51 @@
526
/* build expresssion. */
527
/* -------------------------------------------------------------------- */
528
if (bString)
529
- strcat(szBuffer, " (\"[");
530
+ strlcat(szBuffer, " (\"[", bufferSize);
531
else
532
- strcat(szBuffer, " ([");
533
+ strlcat(szBuffer, " ([", bufferSize);
534
535
/* attribute */
536
- strcat(szBuffer, psFilterNode->psLeftNode->pszValue);
537
+ strlcat(szBuffer, psFilterNode->psLeftNode->pszValue, bufferSize);
538
539
if (bString)
540
- strcat(szBuffer, "]\" ");
541
+ strlcat(szBuffer, "]\" ", bufferSize);
542
else
543
- strcat(szBuffer, "] ");
544
+ strlcat(szBuffer, "] ", bufferSize);
545
546
547
- strcat(szBuffer, " >= ");
548
+ strlcat(szBuffer, " >= ", bufferSize);
549
if (bString)
550
- strcat(szBuffer,"\"");
551
- strcat(szBuffer, aszBounds[0]);
552
+ strlcat(szBuffer,"\"", bufferSize);
553
+ strlcat(szBuffer, aszBounds[0], bufferSize);
554
if (bString)
555
- strcat(szBuffer,"\"");
556
+ strlcat(szBuffer,"\"", bufferSize);
557
558
- strcat(szBuffer, " AND ");
559
+ strlcat(szBuffer, " AND ", bufferSize);
560
561
if (bString)
562
- strcat(szBuffer, " \"[");
563
+ strlcat(szBuffer, " \"[", bufferSize);
564
else
565
- strcat(szBuffer, " [");
566
+ strlcat(szBuffer, " [", bufferSize);
567
568
/* attribute */
569
- strcat(szBuffer, psFilterNode->psLeftNode->pszValue);
570
+ strlcat(szBuffer, psFilterNode->psLeftNode->pszValue, bufferSize);
571
572
if (bString)
573
- strcat(szBuffer, "]\" ");
574
+ strlcat(szBuffer, "]\" ", bufferSize);
575
else
576
- strcat(szBuffer, "] ");
577
+ strlcat(szBuffer, "] ", bufferSize);
578
579
- strcat(szBuffer, " <= ");
580
+ strlcat(szBuffer, " <= ", bufferSize);
581
if (bString)
582
- strcat(szBuffer,"\"");
583
- strcat(szBuffer, aszBounds[1]);
584
+ strlcat(szBuffer,"\"", bufferSize);
585
+ strlcat(szBuffer, aszBounds[1], bufferSize);
586
if (bString)
587
- strcat(szBuffer,"\"");
588
- strcat(szBuffer, ")");
589
-
590
-
591
+ strlcat(szBuffer,"\"", bufferSize);
592
+ strlcat(szBuffer, ")", bufferSize);
593
+
594
+ msFreeCharArray(aszBounds, nBounds);
595
+
596
return strdup(szBuffer);
597
}
598
599
@@ -3579,6 +3620,7 @@
600
/************************************************************************/
601
char *FLTGetIsLikeComparisonExpression(FilterEncodingNode *psFilterNode)
602
{
603
+ const size_t bufferSize = 1024;
604
char szBuffer[1024];
605
char *pszValue = NULL;
606
607
@@ -3626,43 +3668,49 @@
608
}
609
for (i=0; i<nLength; i++)
610
{
611
- if (pszValue[i] != pszWild[0] &&
612
- pszValue[i] != pszSingle[0] &&
613
- pszValue[i] != pszEscape[0])
614
- {
615
- szBuffer[iBuffer] = pszValue[i];
616
- iBuffer++;
617
- szBuffer[iBuffer] = '\0';
618
- }
619
- else if (pszValue[i] == pszSingle[0])
620
- {
621
- szBuffer[iBuffer] = '.';
622
- iBuffer++;
623
- szBuffer[iBuffer] = '\0';
624
- }
625
- else if (pszValue[i] == pszEscape[0])
626
+ if (iBuffer < 1024)
627
{
628
- szBuffer[iBuffer] = '\\';
629
- iBuffer++;
630
- szBuffer[iBuffer] = '\0';
631
+ if (pszValue[i] != pszWild[0] &&
632
+ pszValue[i] != pszSingle[0] &&
633
+ pszValue[i] != pszEscape[0])
634
+ {
635
+ szBuffer[iBuffer] = pszValue[i];
636
+ iBuffer++;
637
+ szBuffer[iBuffer] = '\0';
638
+ }
639
+ else if (pszValue[i] == pszSingle[0])
640
+ {
641
+ szBuffer[iBuffer] = '.';
642
+ iBuffer++;
643
+ szBuffer[iBuffer] = '\0';
644
+ }
645
+ else if (pszValue[i] == pszEscape[0])
646
+ {
647
+ szBuffer[iBuffer] = '\\';
648
+ iBuffer++;
649
+ szBuffer[iBuffer] = '\0';
650
651
- }
652
- else if (pszValue[i] == pszWild[0])
653
- {
654
- /* strcat(szBuffer, "[0-9,a-z,A-Z,\\s]*"); */
655
- /* iBuffer+=17; */
656
- strcat(szBuffer, ".*");
657
- iBuffer+=2;
658
- szBuffer[iBuffer] = '\0';
659
+ }
660
+ else if (pszValue[i] == pszWild[0])
661
+ {
662
+ /* strcat(szBuffer, "[0-9,a-z,A-Z,\\s]*"); */
663
+ /* iBuffer+=17; */
664
+ strlcat(szBuffer, ".*",bufferSize);
665
+ iBuffer+=2;
666
+ szBuffer[iBuffer] = '\0';
667
+ }
668
}
669
}
670
- szBuffer[iBuffer] = '/';
671
- if (bCaseInsensitive == 1)
672
+
673
+ if (iBuffer < 1024)
674
{
675
- szBuffer[++iBuffer] = 'i';
676
- }
677
- szBuffer[++iBuffer] = '\0';
678
-
679
+ szBuffer[iBuffer] = '/';
680
+ if (bCaseInsensitive == 1)
681
+ {
682
+ szBuffer[++iBuffer] = 'i';
683
+ }
684
+ szBuffer[++iBuffer] = '\0';
685
+ }
686
687
return strdup(szBuffer);
688
}
689
@@ -3673,8 +3721,9 @@
690
/* Build an sql expression for IsLike filter. */
691
/************************************************************************/
692
char *FLTGetIsLikeComparisonSQLExpression(FilterEncodingNode *psFilterNode,
693
- int connectiontype)
694
+ layerObj *lp)
695
{
696
+ const size_t bufferSize = 1024;
697
char szBuffer[1024];
698
char *pszValue = NULL;
699
700
@@ -3683,9 +3732,11 @@
701
char *pszEscape = NULL;
702
char szTmp[4];
703
704
- int nLength=0, i=0, iBuffer = 0;
705
+ int nLength=0, i=0, j=0;
706
int bCaseInsensitive = 0;
707
708
+ char *pszEscapedStr = NULL;
709
+
710
if (!psFilterNode || !psFilterNode->pOther || !psFilterNode->psLeftNode ||
711
!psFilterNode->psRightNode || !psFilterNode->psRightNode->pszValue)
712
return NULL;
713
@@ -3704,60 +3755,80 @@
714
715
szBuffer[0] = '\0';
716
/*opening bracket*/
717
- strcat(szBuffer, " (");
718
+ strlcat(szBuffer, " (", bufferSize);
719
720
/* attribute name */
721
- strcat(szBuffer, psFilterNode->psLeftNode->pszValue);
722
- if (bCaseInsensitive == 1 && connectiontype == MS_POSTGIS)
723
- strcat(szBuffer, " ilike '");
724
+ pszEscapedStr = msLayerEscapePropertyName(lp, psFilterNode->psLeftNode->pszValue);
725
+
726
+ strlcat(szBuffer, pszEscapedStr, bufferSize);
727
+ msFree(pszEscapedStr);
728
+ pszEscapedStr = NULL;
729
+
730
+
731
+ if (bCaseInsensitive == 1 && lp->connectiontype == MS_POSTGIS)
732
+ strlcat(szBuffer, " ilike '",bufferSize);
733
else
734
- strcat(szBuffer, " like '");
735
+ strlcat(szBuffer, " like '",bufferSize);
736
737
738
pszValue = psFilterNode->psRightNode->pszValue;
739
nLength = strlen(pszValue);
740
- iBuffer = strlen(szBuffer);
741
+
742
+ pszEscapedStr = (char*) malloc( 3 * nLength + 1);
743
+
744
for (i=0; i<nLength; i++)
745
{
746
- if (pszValue[i] != pszWild[0] &&
747
- pszValue[i] != pszSingle[0] &&
748
- pszValue[i] != pszEscape[0])
749
+ char c = pszValue[i];
750
+ if (c != pszWild[0] &&
751
+ c != pszSingle[0] &&
752
+ c != pszEscape[0])
753
{
754
- szBuffer[iBuffer] = pszValue[i];
755
- iBuffer++;
756
- szBuffer[iBuffer] = '\0';
757
+ if (c == '\'')
758
+ {
759
+ pszEscapedStr[j++] = '\'';
760
+ pszEscapedStr[j++] = '\'';
761
+ }
762
+ else if (c == '\\')
763
+ {
764
+ pszEscapedStr[j++] = '\\';
765
+ pszEscapedStr[j++] = '\\';
766
+ }
767
+ else
768
+ pszEscapedStr[j++] = c;
769
}
770
- else if (pszValue[i] == pszSingle[0])
771
+ else if (c == pszSingle[0])
772
{
773
- szBuffer[iBuffer] = '_';
774
- iBuffer++;
775
- szBuffer[iBuffer] = '\0';
776
+ pszEscapedStr[j++] = '_';
777
}
778
- else if (pszValue[i] == pszEscape[0])
779
+ else if (c == pszEscape[0])
780
{
781
- szBuffer[iBuffer] = pszEscape[0];
782
- iBuffer++;
783
- szBuffer[iBuffer] = '\0';
784
- /*if (i<nLength-1)
785
+ pszEscapedStr[j++] = pszEscape[0];
786
+ if (i+1<nLength)
787
{
788
- szBuffer[iBuffer] = pszValue[i+1];
789
- iBuffer++;
790
- szBuffer[iBuffer] = '\0';
791
+ char nextC = pszValue[i+1];
792
+ i++;
793
+ if (nextC == '\'')
794
+ {
795
+ pszEscapedStr[j++] = '\'';
796
+ pszEscapedStr[j++] = '\'';
797
+ }
798
+ else
799
+ pszEscapedStr[j++] = nextC;
800
}
801
- */
802
}
803
- else if (pszValue[i] == pszWild[0])
804
+ else if (c == pszWild[0])
805
{
806
- strcat(szBuffer, "%");
807
- iBuffer++;
808
- szBuffer[iBuffer] = '\0';
809
+ pszEscapedStr[j++] = '%';
810
}
811
}
812
+ pszEscapedStr[j++] = 0;
813
+ strlcat(szBuffer, pszEscapedStr, bufferSize);
814
+ msFree(pszEscapedStr);
815
816
- strcat(szBuffer, "'");
817
- if (connectiontype != MS_OGR)
818
+ strlcat(szBuffer, "'",bufferSize);
819
+ if (lp->connectiontype != MS_OGR)
820
{
821
- strcat(szBuffer, " escape '");
822
+ strlcat(szBuffer, " escape '",bufferSize);
823
szTmp[0] = pszEscape[0];
824
if (pszEscape[0] == '\\')
825
{
826
@@ -3771,9 +3842,9 @@
827
szTmp[2] = '\0';
828
}
829
830
- strcat(szBuffer, szTmp);
831
+ strlcat(szBuffer, szTmp,bufferSize);
832
}
833
- strcat(szBuffer, ") ");
834
+ strlcat(szBuffer, ") ",bufferSize);
835
836
return strdup(szBuffer);
837
}
838
@@ -4084,7 +4155,7 @@
839
{
840
if (!lp->items[i] || strlen(lp->items[i]) <= 0)
841
continue;
842
- sprintf(szTmp, "%s_alias", lp->items[i]);
843
+ snprintf(szTmp, sizeof(szTmp), "%s_alias", lp->items[i]);
844
pszFullName = msOWSLookupMetadata(&(lp->metadata), namespaces, szTmp);
845
if (pszFullName)
846
{
847
Index: mapserver-5.6.6/mapogcfilter.h
848
===================================================================
849
--- mapserver-5.6.6.orig/mapogcfilter.h 2011-09-09 09:43:52.000000000 -0500
850
+++ mapserver-5.6.6/mapogcfilter.h 2011-09-09 09:44:02.000000000 -0500
851
@@ -113,8 +113,8 @@
852
MS_DLL_EXPORT char *FLTGetSQLExpression(FilterEncodingNode *psFilterNode,layerObj *lp);
853
MS_DLL_EXPORT char *FLTGetBinaryComparisonSQLExpresssion(FilterEncodingNode *psFilterNode, layerObj *lp);
854
MS_DLL_EXPORT char *FLTGetIsBetweenComparisonSQLExpresssion(FilterEncodingNode *psFilterNode, layerObj *lp);
855
-MS_DLL_EXPORT char *FLTGetIsLikeComparisonSQLExpression(FilterEncodingNode *psFilterNode,
856
- int connectiontype);
857
+MS_DLL_EXPORT char *FLTGetIsLikeComparisonSQLExpression(FilterEncodingNode *psFilterNode, layerObj *lp);
858
+
859
MS_DLL_EXPORT char *FLTGetLogicalComparisonSQLExpresssion(FilterEncodingNode *psFilterNode,
860
layerObj *lp);
861
MS_DLL_EXPORT int FLTIsSimpleFilter(FilterEncodingNode *psFilterNode);
862
Index: mapserver-5.6.6/mapogcsos.c
863
===================================================================
864
--- mapserver-5.6.6.orig/mapogcsos.c 2011-09-09 09:43:52.000000000 -0500
865
+++ mapserver-5.6.6/mapogcsos.c 2011-09-09 09:44:02.000000000 -0500
866
@@ -1820,6 +1820,7 @@
867
char *pszProcedureValue = NULL;
868
int iItemPosition, status;
869
shapeObj sShape;
870
+ char* pszEscapedStr = NULL;
871
872
sBbox = map->extent;
873
874
@@ -2051,15 +2052,25 @@
875
pszBuffer = msStringConcatenate(pszBuffer, "(");
876
877
if (!bSpatialDB)
878
- pszBuffer = msStringConcatenate(pszBuffer, "'[");
879
-
880
- pszBuffer = msStringConcatenate(pszBuffer, (char *)pszProcedureItem);
881
+ {
882
+ pszBuffer = msStringConcatenate(pszBuffer, "'[");
883
+ pszBuffer = msStringConcatenate(pszBuffer, (char *)pszProcedureItem);
884
+ }
885
+ else
886
+ {
887
+ pszEscapedStr = msLayerEscapePropertyName(lp, (char *)pszProcedureItem);
888
+ pszBuffer = msStringConcatenate(pszBuffer, pszEscapedStr);
889
+ msFree(pszEscapedStr);
890
+ pszEscapedStr = NULL;
891
+ }
892
893
if (!bSpatialDB)
894
pszBuffer = msStringConcatenate(pszBuffer, "]'");
895
896
pszBuffer = msStringConcatenate(pszBuffer, " = '");
897
- pszBuffer = msStringConcatenate(pszBuffer, tokens[j]);
898
+ pszEscapedStr = msLayerEscapeSQLParam(lp, tokens[j]);
899
+ pszBuffer = msStringConcatenate(pszBuffer, pszEscapedStr);
900
+ msFree(pszEscapedStr);
901
pszBuffer = msStringConcatenate(pszBuffer, "')");
902
}
903
904
Index: mapserver-5.6.6/mapogr.cpp
905
===================================================================
906
--- mapserver-5.6.6.orig/mapogr.cpp 2011-09-09 09:43:52.000000000 -0500
907
+++ mapserver-5.6.6/mapogr.cpp 2011-09-09 09:44:02.000000000 -0500
908
@@ -3465,6 +3465,66 @@
909
}
910
911
/************************************************************************/
912
+/* msOGREscapeSQLParam */
913
+/************************************************************************/
914
+char *msOGREscapeSQLParam(layerObj *layer, const char *pszString)
915
+{
916
+ char* pszEscapedStr =NULL;
917
+#ifdef USE_OGR
918
+ if(layer && pszString && strlen(pszString) > 0)
919
+ {
920
+ char* pszEscapedOGRStr = CPLEscapeString(pszString, strlen(pszString),
921
+ CPLES_SQL );
922
+ pszEscapedStr = strdup(pszEscapedOGRStr);
923
+ CPLFree(pszEscapedOGRStr);
924
+ }
925
+ return pszEscapedStr;
926
+#else
927
+/* ------------------------------------------------------------------
928
+ * OGR Support not included...
929
+ * ------------------------------------------------------------------ */
930
+
931
+ msSetError(MS_MISCERR, "OGR support is not available.",
932
+ "msOGREscapeSQLParam()");
933
+ return NULL;
934
+
935
+#endif /* USE_OGR */
936
+}
937
+
938
+
939
+/************************************************************************/
940
+/* msOGREscapeSQLParam */
941
+/************************************************************************/
942
+char *msOGREscapePropertyName(layerObj *layer, const char *pszString)
943
+{
944
+ char* pszEscapedStr =NULL;
945
+ int i =0;
946
+#ifdef USE_OGR
947
+ if(layer && pszString && strlen(pszString) > 0)
948
+ {
949
+ unsigned char ch;
950
+ for(i=0; (ch = ((unsigned char*)pszString)[i]) != '\0'; i++)
951
+ {
952
+ if ( !(isalnum(ch) || ch == '_' || ch > 127) )
953
+ {
954
+ return strdup("invalid_property_name");
955
+ }
956
+ }
957
+ pszEscapedStr = strdup(pszString);
958
+ }
959
+ return pszEscapedStr;
960
+#else
961
+/* ------------------------------------------------------------------
962
+ * OGR Support not included...
963
+ * ------------------------------------------------------------------ */
964
+
965
+ msSetError(MS_MISCERR, "OGR support is not available.",
966
+ "msOGREscapePropertyName()");
967
+ return NULL;
968
+
969
+#endif /* USE_OGR */
970
+}
971
+/************************************************************************/
972
/* msOGRLayerInitializeVirtualTable() */
973
/************************************************************************/
974
int
975
@@ -3491,6 +3551,9 @@
976
/* layer->vtable->LayerCreateItems, use default */
977
/* layer->vtable->LayerGetNumFeatures, use default */
978
979
+ layer->vtable->LayerEscapeSQLParam = msOGREscapeSQLParam;
980
+ layer->vtable->LayerEscapePropertyName = msOGREscapePropertyName;
981
+
982
return MS_SUCCESS;
983
}
984
985
Index: mapserver-5.6.6/mappostgis.c
986
===================================================================
987
--- mapserver-5.6.6.orig/mappostgis.c 2011-09-09 09:43:53.000000000 -0500
988
+++ mapserver-5.6.6/mappostgis.c 2011-09-09 09:44:02.000000000 -0500
989
@@ -549,7 +549,7 @@
990
return(MS_FAILURE);
991
}
992
993
- pgresult = PQexec(layerinfo->pgconn, sql);
994
+ pgresult = PQexecParams(layerinfo->pgconn, sql,0, NULL, NULL, NULL, NULL, 0);
995
if ( !pgresult || PQresultStatus(pgresult) != PGRES_TUPLES_OK) {
996
char *tmp1;
997
char *tmp2 = NULL;
998
@@ -1774,7 +1774,7 @@
999
msDebug("msPostGISLayerWhichShapes query: %s\n", strSQL);
1000
}
1001
1002
- pgresult = PQexec(layerinfo->pgconn, strSQL);
1003
+ pgresult = PQexecParams(layerinfo->pgconn, strSQL,0, NULL, NULL, NULL, NULL, 0);
1004
1005
if ( layer->debug > 1 ) {
1006
msDebug("msPostGISLayerWhichShapes query status: %s (%d)\n", PQresStatus(PQresultStatus(pgresult)), PQresultStatus(pgresult));
1007
@@ -1979,7 +1979,7 @@
1008
msDebug("msPostGISLayerGetShape query: %s\n", strSQL);
1009
}
1010
1011
- pgresult = PQexec(layerinfo->pgconn, strSQL);
1012
+ pgresult = PQexecParams(layerinfo->pgconn, strSQL,0, NULL, NULL, NULL, NULL, 0);
1013
1014
/* Something went wrong. */
1015
if ( (!pgresult) || (PQresultStatus(pgresult) != PGRES_TUPLES_OK) ) {
1016
@@ -2073,7 +2073,7 @@
1017
msDebug("msPostGISLayerGetItems executing SQL: %s\n", sql);
1018
}
1019
1020
- pgresult = PQexec(layerinfo->pgconn, sql);
1021
+ pgresult = PQexecParams(layerinfo->pgconn, sql,0, NULL, NULL, NULL, NULL, 0);
1022
1023
if ( (!pgresult) || (PQresultStatus(pgresult) != PGRES_TUPLES_OK) ) {
1024
msSetError(MS_QUERYERR, "Error (%s) executing SQL: %s", "msPostGISLayerGetItems()", PQerrorMessage(layerinfo->pgconn), sql);
1025
@@ -2538,6 +2538,42 @@
1026
return MS_FALSE;
1027
}
1028
1029
+
1030
+char *msPostGISEscapeSQLParam(layerObj *layer, const char *pszString)
1031
+{
1032
+#ifdef USE_POSTGIS
1033
+ msPostGISLayerInfo *layerinfo = NULL;
1034
+ int nError;
1035
+ size_t nSrcLen;
1036
+ char* pszEscapedStr =NULL;
1037
+
1038
+ if (layer && pszString && strlen(pszString) > 0)
1039
+ {
1040
+ if(!msPostGISLayerIsOpen(layer))
1041
+ msPostGISLayerOpen(layer);
1042
+
1043
+ assert(layer->layerinfo != NULL);
1044
+
1045
+ layerinfo = (msPostGISLayerInfo *) layer->layerinfo;
1046
+ nSrcLen = strlen(pszString);
1047
+ pszEscapedStr = (char*) malloc( 2 * nSrcLen + 1);
1048
+ PQescapeStringConn (layerinfo->pgconn, pszEscapedStr, pszString, nSrcLen, &nError);
1049
+ if (nError != 0)
1050
+ {
1051
+ free(pszEscapedStr);
1052
+ pszEscapedStr = NULL;
1053
+ }
1054
+ }
1055
+ return pszEscapedStr;
1056
+#else
1057
+ msSetError( MS_MISCERR,
1058
+ "PostGIS support is not available.",
1059
+ "msPostGISEscapeSQLParam()");
1060
+ return NULL;
1061
+#endif
1062
+}
1063
+
1064
+
1065
int msPostGISLayerInitializeVirtualTable(layerObj *layer) {
1066
assert(layer != NULL);
1067
assert(layer->vtable != NULL);
1068
@@ -2560,5 +2596,8 @@
1069
/* layer->vtable->LayerCreateItems, use default */
1070
/* layer->vtable->LayerGetNumFeatures, use default */
1071
1072
+#ifdef USE_POSTGIS
1073
+ layer->vtable->LayerEscapeSQLParam = msPostGISEscapeSQLParam;
1074
+#endif
1075
return MS_SUCCESS;
1076
}
1077
Index: mapserver-5.6.6/mapserver.h
1078
===================================================================
1079
--- mapserver-5.6.6.orig/mapserver.h 2011-09-09 09:43:53.000000000 -0500
1080
+++ mapserver-5.6.6/mapserver.h 2011-09-09 09:44:02.000000000 -0500
1081
@@ -1556,6 +1556,8 @@
1082
1083
int (*LayerCreateItems)(layerObj *layer, int nt);
1084
int (*LayerGetNumFeatures)(layerObj *layer);
1085
+ char* (*LayerEscapeSQLParam)(layerObj *layer, const char* pszString);
1086
+ char* (*LayerEscapePropertyName)(layerObj *layer, const char* pszString);
1087
};
1088
#endif /*SWIG*/
1089
1090
@@ -1955,6 +1957,9 @@
1091
/* maplayer.c */
1092
MS_DLL_EXPORT int msLayerGetNumFeatures(layerObj *layer);
1093
1094
+MS_DLL_EXPORT char *msLayerEscapeSQLParam(layerObj *layer, const char* pszString);
1095
+MS_DLL_EXPORT char *msLayerEscapePropertyName(layerObj *layer, const char* pszString);
1096
+
1097
/* These are special because SWF is using these */
1098
int msOGRLayerNextShape(layerObj *layer, shapeObj *shape);
1099
int msOGRLayerGetItems(layerObj *layer);
Loggerhead is a web-based interface for Breezy
Version: 2.0.1