From 0223d00a54eb079c44ffa25eced7fbe71a0be579 Mon Sep 17 00:00:00 2001 From: javi Date: Thu, 12 Feb 2015 10:57:12 +0100 Subject: [PATCH 1/2] fixed security problem --- scripts-available/CDB_QueryTables.sql | 5 ----- test/CDB_QueryTablesTest.sql | 4 ++++ test/CDB_QueryTablesTest_expect | 2 ++ 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/scripts-available/CDB_QueryTables.sql b/scripts-available/CDB_QueryTables.sql index 2fb9532..d2a17c6 100644 --- a/scripts-available/CDB_QueryTables.sql +++ b/scripts-available/CDB_QueryTables.sql @@ -16,11 +16,6 @@ BEGIN FOR rec IN SELECT CDB_QueryStatements(query) q LOOP - IF NOT ( rec.q ilike 'select %' or rec.q ilike 'with %' ) THEN - --RAISE WARNING 'Skipping %', rec.q; - CONTINUE; - END IF; - BEGIN EXECUTE 'EXPLAIN (FORMAT XML, VERBOSE) ' || rec.q INTO STRICT exp; EXCEPTION WHEN others THEN diff --git a/test/CDB_QueryTablesTest.sql b/test/CDB_QueryTablesTest.sql index 6c3911f..b87315c 100644 --- a/test/CDB_QueryTablesTest.sql +++ b/test/CDB_QueryTablesTest.sql @@ -31,3 +31,7 @@ create table sc.test (a int); insert into sc.test values (1); WITH inp AS ( select 'select * from sc.test'::text as q ) SELECT q, CDB_QueryTables(q) from inp; + +WITH inp AS ( select 'SELECT +* FROM geometry_columns'::text as q ) + SELECT q, CDB_QueryTables(q) from inp; diff --git a/test/CDB_QueryTablesTest_expect b/test/CDB_QueryTablesTest_expect index 6d44860..bfe59df 100644 --- a/test/CDB_QueryTablesTest_expect +++ b/test/CDB_QueryTablesTest_expect @@ -13,3 +13,5 @@ CREATE SCHEMA CREATE TABLE INSERT 0 1 select * from sc.test|{sc.test} +SELECT +* FROM geometry_columns|{pg_catalog.pg_attribute,pg_catalog.pg_class,pg_catalog.pg_namespace,pg_catalog.pg_type} From 519ea075d6534c4c51fffa4063386dfafc938528 Mon Sep 17 00:00:00 2001 From: javi Date: Fri, 13 Feb 2015 17:32:14 +0100 Subject: [PATCH 2/2] fixed reg exp --- scripts-available/CDB_QueryTables.sql | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/scripts-available/CDB_QueryTables.sql b/scripts-available/CDB_QueryTables.sql index d2a17c6..cd8b51b 100644 --- a/scripts-available/CDB_QueryTables.sql +++ b/scripts-available/CDB_QueryTables.sql @@ -16,6 +16,11 @@ BEGIN FOR rec IN SELECT CDB_QueryStatements(query) q LOOP + IF NOT ( rec.q ilike 'select%' or rec.q ilike 'with%' ) THEN + --RAISE WARNING 'Skipping %', rec.q; + CONTINUE; + END IF; + BEGIN EXECUTE 'EXPLAIN (FORMAT XML, VERBOSE) ' || rec.q INTO STRICT exp; EXCEPTION WHEN others THEN