Re: [QGIS-Developer] Image in a Attribute table.

[Denis Rouzaud]

Hi Kyle,

The best place to post this is on the issue tracker where you'll be able to
paste both the code snippet and the project data.
That keeps everything in a single place and avoid the need for devs to redo
the project.
https://github.com/qgis/QGIS/issues

Many thanks for the report,
Kind regards

Denis


Le lun. 3 févr. 2020 à 02:36, Kyle Felipe Vieira Roberto <
kylefel...@gmail.com> a écrit :

> Hi guys!
>
> I want to show a image in a custom form, the image is inside a BLOB field.
> I wrote a python function to do that, but when i open the attribute table,
> qgis issues a message (inconplete)
>
> [image: image.png]
>
> So, i made this gitlab snippet with a project and the python code.
> https://gitlab.com/snippets/1935720
> Can someone help?
>
>
> *Kyle Felipe*
> Vida longa e próspera!
> May the forçe be with you...
> #ThinkFree
> www.kylefelipe.com
> www.flickr.com/kylefelipe
> https://gitlab.com/kylefelipe
> https://github.com/kylefelipe
> ___
> QGIS-Developer mailing list
> QGIS-Developer@lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

[QGIS-Developer] Image in a Attribute table.

[Kyle Felipe Vieira Roberto]

Hi guys!

I want to show a image in a custom form, the image is inside a BLOB field.
I wrote a python function to do that, but when i open the attribute table,
qgis issues a message (inconplete)

[image: image.png]

So, i made this gitlab snippet with a project and the python code.
https://gitlab.com/snippets/1935720
Can someone help?


*Kyle Felipe*
Vida longa e próspera!
May the forçe be with you...
#ThinkFree
www.kylefelipe.com
www.flickr.com/kylefelipe
https://gitlab.com/kylefelipe
https://github.com/kylefelipe
___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

Re: [QGIS-Developer] Potential vulnerabilities

[nadiaspit]

Hi Jonathan,

this is a good idea and also a good proposal for the students of next
edition of Master in Cybersecurity. 
I will tell to my professor.

Thank you
Nadia



--
Sent from: http://osgeo-org.1560.x6.nabble.com/QGIS-Developer-f4099106.html
___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

Re: [QGIS-Developer] Please help with the changelog for 3.12

[Nyall Dawson]

On Sun, 2 Feb 2020 at 08:10, Tim Sutton  wrote:
>
> Hi All
>
> QGIS 3.12 will be released in 19 days and our changelog needs a lot of love 
> before that. If you are able to, please spend some time documenting new 
> features and key improvements in the changelog.
>
> https://changelog.qgis.org/en/qgis/version/3.12/
>

Thanks for the heads-up Tim!

I'm really busy over the next fortnight, so doubt I'll get time to do
the initial git->changelog population (which has been done since QGIS
2.10 or something). Before the entries get populated in depth, we need
a volunteer to trawl through the git changelog from the time of 3.12
branch up to feature freeze and copy all the commits which add
changelog worthy changes to the changelog. It can be just a direct
copy-and-paste, leaving the cleanup for others to do later.

This needs to be done first, so that we can condense similar entries
into one and define the general outline of the changelog **before** we
start adding screenshots and nice text.

Any volunteers?

Nyall
___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

Re: [QGIS-Developer] Potential vulnerabilities

[Jonathan Moules]

Hi Nadia,
Just a random thought here, but I wonder if doing this exercise against 
QGIS Desktop would be more worthwhile from a security perspective? There 
are very few deployments of QGIS-Server but many many deployments of 
Desktop.


For example, is it possible to compromise QGIS Desktop via a 
opening/connecting to a compromised shapefile/Geopackage/web-service/CSV 
etc etc? I have no idea, but it'd definitely be a useful thing to 
investigate.

Cheers,
Jonathan

On 2020-02-02 17:36, nadiaspit wrote:

Hi Even,

thank you so much for answering my questions.

Of course my assessment is far beyond automating scanning for vulnerability.
I just wrote about 1 potential issue. As I said at the beginning, this is
about my Project Work as student of Master of Cybersecurity in Pisa, Italy.
I really appreciate your work and I think qgis server is well designed and
can be successfully used to create a robust architecture from a
cybersecurity perspective.

Before writing to qgis-developer I first submitted the issue to Lizmap
Github group, they suggested to write here, as they think it would be a qgis
issue.
Also for me the issue is likely to be LizMap specific rather than
QGIS-server.
I'll make another attempt with the Lizmap community.

Thank you for your time.
Kind Regards,
Nadia



--
Sent from: http://osgeo-org.1560.x6.nabble.com/QGIS-Developer-f4099106.html
___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

Re: [QGIS-Developer] Good news: next Ubuntu version shipping with gdal3/proj6

[Tim Sutton]

Hi

Ah cool - thanks for the heads up!

Regards

Tim

> On 2 Feb 2020, at 08:52, Mathieu Pellerin  wrote:
> 
> Here's a nice Sunday news: Ubuntu 20.04 (ETA end of April) will ship with 
> gdal 3 (at the moment 3.0.3, hopefully will be 3.0.4 by release day to fix a 
> nasty bug) and proj 6.3.
> 
> This can likely increase the number of QGIS core devs using this next gen 
> pair of libraries, which would undeniably help take care making us rock solid 
> there.
> 
> I for one will not wait and update now ;)
> 
> Ubuntu 20.04 will also ship with the latest sqlite version which features 
> generated columns, nice little extra.
> ___
> QGIS-Developer mailing list
> QGIS-Developer@lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

—









Tim Sutton

Co-founder: Kartoza
Ex Project chair: QGIS.org

Visit http://kartoza.com  to find out about open source:

Desktop GIS programming services
Geospatial web development
GIS Training
Consulting Services

Skype: timlinux 
IRC: timlinux on #qgis at freenode.net

I'd love to connect. Here's my calendar link  to 
make finding time easy.

___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

Re: [QGIS-Developer] Potential vulnerabilities

[nadiaspit]

Hi Even,

thank you so much for answering my questions.

Of course my assessment is far beyond automating scanning for vulnerability.
I just wrote about 1 potential issue. As I said at the beginning, this is
about my Project Work as student of Master of Cybersecurity in Pisa, Italy.
I really appreciate your work and I think qgis server is well designed and
can be successfully used to create a robust architecture from a
cybersecurity perspective.

Before writing to qgis-developer I first submitted the issue to Lizmap
Github group, they suggested to write here, as they think it would be a qgis
issue.
Also for me the issue is likely to be LizMap specific rather than
QGIS-server.
I'll make another attempt with the Lizmap community.

Thank you for your time.
Kind Regards,
Nadia



--
Sent from: http://osgeo-org.1560.x6.nabble.com/QGIS-Developer-f4099106.html
___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

Re: [QGIS-Developer] Potential vulnerabilities

[Paolo Cavallini]

Hi Evevn,
thanks for the review. To be fair, original report from Nadia was indeed
against Lizmap.
Cheers.

Il 02/02/20 18:12, Even Rouault ha scritto:
> Nadia,
> 
> Thanks for investigating QGIS server security. However, I would expect a
> vulnerability report to go a bit beyond than just using a generic security
> scanner that can have false positives, especially here as all components
> involved are open source so it is possible to look at the code, instrument it 
> etc..
> So a report should point to the exact line of code where the vulnerability
> is triggered and/or provide an exploit.
> 
> For the long GET request, this is very very unlikely to be a buffer overflow.
> 
> Considering that the following is a valid request:
> https://www.cybertest.it/gis/index.php/lizmap/service/?REQUEST=GetCapabilities&SERVICE=WMS&VERSION=1.3.0&project=demogis&repository=demogis
> 
> And the same but with just FOO instead of WMS for the value of SERVICE leads 
> to the 500 error:
> https://www.cybertest.it/gis/index.php/lizmap/service/?REQUEST=GetCapabilities&SERVICE=FOO&VERSION=1.3.0&project=demogis&repository=demogis
> 
> Looking at the error message, a bit of googling shows that it comes from 
> LizMap
> source code, not QGIS server:
> https://github.com/3liz/lizmap-web-client/blob/master/lib/jelix/core/response/error.en_US.php
> 
> Furthermore Jelix is a PHP component, so not native code, hence buffer 
> overflow
> vulnerabilities leading to arbitrary code execution aren't relevant here 
> (unless you'd
> trigger a vulnerability of the PHP executable itself!)
> 
> I haven't look at the other things reported, but they are likely to be
> LizMap specific rather than QGIS-server, unless otherwise proven.
> 
> Even
> 

-- 
Paolo Cavallini - www.faunalia.eu
QGIS.ORG Chair:
http://planet.qgis.org/planet/user/28/tag/qgis%20board/
___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

Re: [QGIS-Developer] Potential vulnerabilities

[Even Rouault]

Nadia,

Thanks for investigating QGIS server security. However, I would expect a
vulnerability report to go a bit beyond than just using a generic security
scanner that can have false positives, especially here as all components
involved are open source so it is possible to look at the code, instrument it 
etc..
So a report should point to the exact line of code where the vulnerability
is triggered and/or provide an exploit.

For the long GET request, this is very very unlikely to be a buffer overflow.

Considering that the following is a valid request:
https://www.cybertest.it/gis/index.php/lizmap/service/?REQUEST=GetCapabilities&SERVICE=WMS&VERSION=1.3.0&project=demogis&repository=demogis

And the same but with just FOO instead of WMS for the value of SERVICE leads to 
the 500 error:
https://www.cybertest.it/gis/index.php/lizmap/service/?REQUEST=GetCapabilities&SERVICE=FOO&VERSION=1.3.0&project=demogis&repository=demogis

Looking at the error message, a bit of googling shows that it comes from LizMap
source code, not QGIS server:
https://github.com/3liz/lizmap-web-client/blob/master/lib/jelix/core/response/error.en_US.php

Furthermore Jelix is a PHP component, so not native code, hence buffer overflow
vulnerabilities leading to arbitrary code execution aren't relevant here 
(unless you'd
trigger a vulnerability of the PHP executable itself!)

I haven't look at the other things reported, but they are likely to be
LizMap specific rather than QGIS-server, unless otherwise proven.

Even

-- 
Spatialys - Geospatial professional services
http://www.spatialys.com
___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

Re: [QGIS-Developer] Potential vulnerabilities

[Jonathan Moules]

Hi Jorge,
I don't run QGIS server, I was basing that on the original report by 
Nadia to the list which shows a 500 response for that request to their box.
But yes, testing that URL against some (ostensibly) QGIS servers I can 
find online, it does seem to work as expected. Not sure why Nadia got a 
500 back...

Cheers,
Jonathan

On 2020-02-01 21:58, Jorge Gustavo Rocha wrote:

Hi Jonathan,

If the service is unknown, my QGIS Server reports:

http://www.opengis.net/ogc";>
  Service unknown or
unsupported


Which QGIS Server are you using? Have you filled a bug?

Your help is appreciated :-)

Regards,

Jorge Gustavo

On 01/02/20 21:25, Jonathan Moules wrote:

I can't comment on the security aspect, but at the very least there's a
bug in the WMS compliance. For the GetCapabilities URL it should be
returning an XML Service Exception (because it has an invalid SERVICE
value), not a HTTP 500.

I.e., the same request to a (random) GeoServer box shows the sort of
thing that should be coming back:

http://si.icnf.pt/geoserver/POEM/ows?REQUEST=GetCapabilities&SERVICE=oGMQJLiHSupcMsIjmfMWZQISJOeWgvtonUKYRXwmroNKJMFRYPEnEZPkowATaGjkELTRHGnDntktuVJGaLGTcBeUUJdggwCZNQVmwtAGVOJnxxYRNoCsJqtRfbPjwKjegCwdCLmaYrUVJabXtdkmZeHXsNLjhpdJhbQOYeXwwOIZwVROYYKwXRZxkjXoeGJvmswRUKPNRMhLLkMQtoLmSfPNrQXYHtuPEuKpFIpFccNsEgRbYndKFXiFpnZqJERjSJreOgtxNGcisVVbPVvfplvDRyRbsKbFnPcmlliuCAyoDmYOffSDlAWUApgewpAiJXXdwLDDYbkPaAiqMNkqPfqkIBxhirwdeQEQmTtBeDYIbGYNbGKPxSOYDRhgiGrGPElskHmqCCUaETOPHTPEXMArEpPNYZyJoChNatgYaPfcqIRjwCwDkmMVgUdlxGWgqXxGZwrgeantfXPvxkacZQLKPwlemJfeOuvIVfZrBiwWtIoybuuQAqapuFJBDuZHtMlaIJemxOjPiefmgMSXOpoSwFAipLYwqVApjJtmbOqUBORkfqesknejRvSFQwmCYlHigIZNpBIAINfVVUxtjHekDrJMdYVNgAiZUNUYSnbSyPrFTWiYmrnFUcqnteOMEogsxDXMlbNLBcMCLwDZJCQLblDTElqcWxmcoKiZGBPqTJuSjIPimsfYklNdmIcnwsGdESbaOhtvVwRcoFIKAAninLCqKfsKFXqDfEwNCkXXRFvbcjnXggYywEynhweSdrvbCngwJtceGDAOlQQqCBhgjHmcuSrCUKwBJOeEToYIhTQCgEdBVpIlCYmIBPsNPLIedfITOfincEBqLscQJNktKIvpfgkQFhLOtiyslSKdGkjCCnYYDNVBrTDJsYxELKJcXlJLUMTBOChSpTsfgZMqKtXLkbMOnulrWQLJhwIElLJZhnQDjfmUvsDiVDAEavsGhUXSYlxbPROgZQElKUIXNBGEmducbcREVLjNoZvlNpxcWnVwhNlKOfSZBREGUZXLRfhEloTuZLPphUaEPpydHoHpcNKhVjqsKfQofaaVTAfDwXoUWQtmQaRSAEdwxCdIqllTvObUFcsdyfGqHRQFDGFvHUdeNuTWhIbgDhcTGnJBTxytfHWvQNjSqSGCBDGNPQJaclWFUHPIjAkbvDxRtqFjwtoVOtfYkbiKVbqcphyngrfcxLkGQpHjSldaqekhLoAYGbkXHdnyeKIraNcalFLUvrEKSVYoNpGoZHrKpDckZJSnPHiMIeaOrTCKRWbNcrSDrddeVIqSfSRIILuZpYnpFLJCyYxVGnRonXgCSEqQXcZreffnyaFvkaFcJyyuCivsGMHGhVViEetLWxPEnFsFGuuHFmlIJCtoyyikChSxeMrKxhZoQanBBfexwUjsjAiLUOLnhYmlyuJlsENAoMDiFbbrcfpXeyqnkJOgmCwYakTGegcbpywwAVYJSQtblnWZhfccMksXoHhkXqqbZxYgAsNwPGbJukfaGZakiImInKPoSwvCXXvpqawURRpUmaebduvgDnAYGUmhCcQGkTKqlKVoGumDuDFgpbhcyRgpnVkuymNFsMRChKBFFyBKJNkcNqTEHKHrJdECHYMnWBjJiVqaXBEJQDjoZyjNFwumfShWeeRoqwIDfYSckglinPSgDvJlFxfLtWmiYTrhVSFRQOjdZKdQRhnmpSXVvQLadJpviByssOKIrjpysnXvXHAvRKrIcGEvsvhWEmZkGKPBcFFmmjtQJQZxZIcTVmFWHEUOEejYvOjNrbqYvPaJxbTyucvdMDohGynKrodTGyRJcuMBdFPNFsPbmEQDiXeCBwPHAGvawOvBTlXoMijuSUalSrftFWCHatRoivbehiDtLbRJUItnteqdEMNdrHsqAwgiCMOPDIVCmovSVTLxkclkmBCuVpIAMJtmkdkkHIklamiCQLqtfkhhUkSocYtbQFOJXvaPBBmFWHIvwZHvnGYeaMxdGKwQjLaVvYevVyLQbWlTmKUQlkoOrQNMXdmPbTKgfXRhdoaqQapCNpsCJXvnFXBvXQemkXOdIyCpRptiJllMSdFsIjlywGJOWbpInDLB&VERSION=1.3.0



On 2020-02-01 18:33, nadiaspit wrote:

Hi,
I am a student of Cybersecurity Master at University of Pisa. My final
project work is about a Security Test of an installation of qgis server +
lizmap web client.
At a first analysis, I found out that lizmap web client is vulnerable to
"Buffer overflow attack"
https://www.owasp.org/index.php/Buffer_overflow_attack

The problem:
"Potential Buffer Overflow. The script closed the connection and threw
a 500
Internal Server Error"
The solution:
"Rewrite the background program using proper return length checking. This
will require a recompile of the background executable."

Here you can view the  report


:

I also posted this question to Lizmap web client Github: Is Buffer
Overflow
vulnerability a false positive for Lizmap web client?

They suggested to ask to this group.
Any help would be very appreciated.

Kind Regards,
Nadia Spitilli



--
Sent from:
http://osgeo-org.1560.x6.nabble.com/QGIS-Developer-f4099106.html
___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

J. Gustavo


___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer

[QGIS-Developer] Good news: next Ubuntu version shipping with gdal3/proj6

[Mathieu Pellerin]

Here's a nice Sunday news: Ubuntu 20.04 (ETA end of April) will ship with
gdal 3 (at the moment 3.0.3, hopefully will be 3.0.4 by release day to fix
a nasty bug) and proj 6.3.

This can likely increase the number of QGIS core devs using this next gen
pair of libraries, which would undeniably help take care making us rock
solid there.

I for one will not wait and update now ;)

Ubuntu 20.04 will also ship with the latest sqlite version which features
generated columns, nice little extra.
___
QGIS-Developer mailing list
QGIS-Developer@lists.osgeo.org
List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer