hans/Nominatim
1
0
Fork 1
mirror of https://github.com/osm-search/Nominatim.git synced 2026-03-09 03:24:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

properly escape class parameter

Browse Source 
The class parameter was used as is, allowing for potential
SQL injection via the API.

Thanks to @bladeswords for finding this.
This commit is contained in:
Sarah Hoffmann
2020-05-02 21:54:14 +02:00
parent ec86a972a2
commit ae85ceca1e
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
website/details.php
View File

@@ -32,12 +32,14 @@ $sLanguagePrefArraySQL = $oDB->getArraySQL($oDB->getDBQuotedList($aLangPrefOrder
if ($sOsmType && $iOsmId > 0) { if ($sOsmType && $iOsmId > 0) {
$sSQL = 'SELECT place_id FROM placex WHERE osm_type = :type AND osm_id = :id'; $sSQL = 'SELECT place_id FROM placex WHERE osm_type = :type AND osm_id = :id';
$aSQLParams = array(':type' => $sOsmType, ':id' => $iOsmId);
// osm_type and osm_id are not unique enough // osm_type and osm_id are not unique enough
if ($sClass) { if ($sClass) {
$sSQL .= " AND class='".$sClass."'"; $sSQL .= ' AND class= :class';
$aSQLParams[':class'] = $sClass;
} }
$sSQL .= ' ORDER BY class ASC'; $sSQL .= ' ORDER BY class ASC';
$sPlaceId = $oDB->getOne($sSQL, array(':type' => $sOsmType, ':id' => $iOsmId)); $sPlaceId = $oDB->getOne($sSQL, $aSQLParams);
// Be nice about our error messages for broken geometry // Be nice about our error messages for broken geometry