Skip to content

Commit

Permalink
Fix potential SQL Injection with postgis TIME filters (#4834)
Browse files Browse the repository at this point in the history
  • Loading branch information
@rouault @tbonfort
rouault authored and tbonfort committed Dec 31, 2013
1 parent e83a0cb commit 3a10f6b
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions mappostgis.c
View file
Expand Up @@ -3212,6 +3212,11 @@ int msPostGISLayerSetTimeFilter(layerObj *lp, const char *timestring, const char
if (!lp || !timestring || !timefield)
return MS_FALSE;

if( strchr(timestring,'\'') || strchr(timestring, '\\') ) {
msSetError(MS_MISCERR, "Invalid time filter.", "msPostGISLayerSetTimeFilter()");
return MS_FALSE;
}

/* discrete time */
if (strstr(timestring, ",") == NULL &&
strstr(timestring, "/") == NULL) { /* discrete time */
Expand Down

0 comments on commit 3a10f6b

Please sign in to comment.