Merge pull request #68 from CartoDB/fix_querytables

try to fix security problem

scripts-available/CDB_QueryTables.sql

@@ -16,9 +16,9 @@ BEGIN
 
   FOR rec IN SELECT CDB_QueryStatements(query) q LOOP
 
-    IF NOT ( rec.q ilike 'select %' or rec.q ilike 'with %' ) THEN
+    IF NOT ( rec.q ilike 'select%' or rec.q ilike 'with%' ) THEN
-      --RAISE WARNING 'Skipping %', rec.q;
+        --RAISE WARNING 'Skipping %', rec.q;
-      CONTINUE;
+        CONTINUE;
     END IF;
 
     BEGIN

test/CDB_QueryTablesTest.sql

@@ -31,3 +31,7 @@ create table sc.test (a int);
 insert into sc.test values (1);
 WITH inp AS ( select 'select * from sc.test'::text as q )
  SELECT q, CDB_QueryTables(q) from inp;
+
+WITH inp AS ( select 'SELECT
+* FROM geometry_columns'::text as q )
+ SELECT q, CDB_QueryTables(q) from inp;

test/CDB_QueryTablesTest_expect

@@ -13,3 +13,5 @@ CREATE SCHEMA
 CREATE TABLE
 INSERT 0 1
 select * from sc.test|{sc.test}
+SELECT
+* FROM geometry_columns|{pg_catalog.pg_attribute,pg_catalog.pg_class,pg_catalog.pg_namespace,pg_catalog.pg_type}