In a recent demo a developer in my company saw that we were using CQL filters in GeoServer, and saw how similar the syntax is to SQL, then started worrying about SQL / CQL injection. I assured him that as CQL filters are exposed by default I would be very surprised if this was even possible within CQL capabilites.
I found a thread http://www.mail-archive.com/[email protected]/msg14829.html here that raises the issue but I don't fully understand the dialogue and it seems to suggest that the application which translates CQL to SQL has a responsibility to sanitize user input. I couldn't find any GeoServer documentation on the subject, so is it possible for a malicious user to perform a CQL injection attack through GeoServer? -- View this message in context: http://osgeo-org.1560.n6.nabble.com/CQL-injection-is-it-even-possible-tp4976463.html Sent from the GeoServer - User mailing list archive at Nabble.com. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Geoserver-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-users
