[Tile-serving] [openstreetmap/osm2pgsql] Check more user-supplied strings used as SQL identifier (PR #1758)
Sarah Hoffmann
notifications at github.com
Thu Sep 8 20:18:40 UTC 2022
We already consistently quote all identifier used in SQL strings in the code to avoid SQL injection issues. The quoting works on the assumption that there are no double quotes in the string itself. The flex output already checked all user-supplied strings for conformance.
This PR adds the same check to the prefix and schema command-line parameters which are used as SQL identifiers and for the column names and types from the pgsql style file.
You can view, comment on, or merge this pull request online at:
https://github.com/openstreetmap/osm2pgsql/pull/1758
-- Commit Summary --
* make check_name() a global function
* check more user-supplied strings used as SQL identifier
-- File Changes --
M src/options.cpp (4)
M src/output-flex.cpp (27)
M src/pgsql.cpp (13)
M src/pgsql.hpp (13)
M src/table.cpp (3)
-- Patch Links --
https://github.com/openstreetmap/osm2pgsql/pull/1758.patch
https://github.com/openstreetmap/osm2pgsql/pull/1758.diff
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/osm2pgsql/pull/1758
You are receiving this because you are subscribed to this thread.
Message ID: <openstreetmap/osm2pgsql/pull/1758 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/tile-serving/attachments/20220908/b1ca29d8/attachment-0001.htm>
More information about the Tile-serving
mailing list