[Tile-serving] [openstreetmap/osm2pgsql] Improvements to osm2pgsql-replication script (PR #1753)
Sarah Hoffmann
notifications at github.com
Tue Sep 6 15:52:33 UTC 2022
This PR collects some smaller improvements to the osm2pgsql-replication script to harden it against potential security issues:
* Use psycopg2's SQL module for correct quoting of PostgreSQL identifiers like table names. This includes fixing one spot where there was a SQL code injection possible via the `--prefix` parameter. Note that the thread level for the injection is low because the attacker would still need credentials for the database.
* When installing the script with `make install`, the default osm2pgsql binary will no longer be searched via PATH. Instead a hard-coded path to the installed osm2pgsql is used.
* Document that the script accepts connection parameters via libpq environment parameters and point to pgpass files for handing in passwords. Also fixes the script to work when no database name is given in the command line.
In addition there is now a more meaningful error returned when the prefix parameter is wrong or the middle tables do not exist.
You can view, comment on, or merge this pull request online at:
https://github.com/openstreetmap/osm2pgsql/pull/1753
-- Commit Summary --
* use psycopg SQL module for correct quoting
* osm2pgsql-replication: meaningful error when middle tables do not exist
* osm2pgsql-replication: run against installed osm2pgsql
* osm2pgsql-replication: allow empty database parameter
* osm2pgsql-replication: add hint about pqlib environment parameters.
-- File Changes --
M CMakeLists.txt (5)
M scripts/osm2pgsql-replication (91)
-- Patch Links --
https://github.com/openstreetmap/osm2pgsql/pull/1753.patch
https://github.com/openstreetmap/osm2pgsql/pull/1753.diff
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/osm2pgsql/pull/1753
You are receiving this because you are subscribed to this thread.
Message ID: <openstreetmap/osm2pgsql/pull/1753 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/tile-serving/attachments/20220906/699d5103/attachment.htm>
More information about the Tile-serving
mailing list