Dear Ian, dear Andrea,
Thank you both for merging this fix so promptly. Is there the
possibility of backporting to 29.x? I've tested this on our GeoServer
2.23.1 and I think it is pretty straightforward.
Cheers,
Mike
On 14/06/2023 10:38, Andrea Aime wrote:
The layer names are vetted against the list of available feature types
in the store,
before being used, so sql injection, at least in GeoServer, should not
be possible (finger crossed).
Mind, the PR should address the main branch first, which might contain
slightly different SQL
than the one you're seeing being used by GeoServer 2.23.1. Start your
work there
Cheers
Andrea
On Wed, Jun 14, 2023 at 11:29 AM Ian Turton <ijtur...@gmail.com> wrote:
We always welcome PRs for open issues. This sounds as if there is
a general potential for SQL injection in the layer names that we
should be protecting against,
Ian
On Wed, 14 Jun 2023 at 10:09, Mike Bryant via GeoTools-Devel
<geotools-devel@lists.sourceforge.net> wrote:
Dear all,
https://osgeo-org.atlassian.net/browse/GEOT-6266
<https://osgeo-org.atlassian.net/browse/GEOT-6266>
I've recently run into GEOT-6266 attempting to use the
GeoPackage export
plugin with GeoServer 2.23.1, since some of our layer names
contain hyphens.
Looking at the relevant code in GeoPackage.java this could be
resolved
by quoting the table name in a few SQLite queries, and I'm
happy to
submit PRs for this if that would be welcome. However, perhaps
there are
other considerations here I'm not aware of? I guess there's
the larger
issue of compatibility and best-practices for layer naming but
I'm not
sure where that is supposed to be enforced.
Many thanks,
Mike
_______________________________________________
GeoTools-Devel mailing list
GeoTools-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geotools-devel
<https://lists.sourceforge.net/lists/listinfo/geotools-devel>
--
Ian Turton
_______________________________________________
GeoTools-Devel mailing list
GeoTools-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geotools-devel
<https://lists.sourceforge.net/lists/listinfo/geotools-devel>
--
Regards,
Andrea Aime
==GeoServer Professional Services from the experts!
Visit http://bit.ly/gs-services-us
<http://bit.ly/gs-services-us>for
more information.==Ing. Andrea Aime @geowolfTechnical Lead
GeoSolutions Groupphone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
https://www.geosolutionsgroup.com/
<https://www.geosolutionsgroup.com/>
http://twitter.com/geosolutions_it
<http://twitter.com/geosolutions_it>
-------------------------------------------------------
Con riferimento alla normativa sul trattamento dei dati personali
(Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati
“GDPR”), si precisa che ogni circostanza inerente alla presente email
(il suo contenuto, gli eventuali allegati, etc.) è un dato la cui
conoscenza è riservata al/i solo/i destinatario/i indicati dallo
scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a
cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato
se potesse darmene notizia.This email is intended only for the person
or entity to which it is addressed and may contain information that is
privileged, confidential or otherwise protected from disclosure. We
remind that - as provided by European Regulation 2016/679 “GDPR” -
copying, dissemination or use of this e-mail or the information herein
by anyone other than the intended recipient is prohibited. If you have
received this email by mistake, please notify us immediately by
telephone or e-mail
--
Mike Bryant
Research Associate
Department of Digital Humanities
King's College London
_______________________________________________
GeoTools-Devel mailing list
GeoTools-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geotools-devel
