Bug report #4520

QGIS mapserver: Spaces in GetFeatureInfo filter string values are rejected

Added by Mathias Walker over 13 years ago. Updated over 6 years ago.

Status:Closed
Priority:Normal
Assignee:Marco Hugentobler
Category:QGIS Server
Affected QGIS version:master Regression?:No
Operating System: Easy fix?:No
Pull Request or Patch supplied:No Resolution:
Crashes QGIS or corrupts data:No Copied to github as #:14438

Description

WMS request:

http://localhost/wms/simple?SERVICE=WMS&VERSION=1.1.1&REQUEST=GetFeatureInfo&LAYERS=lakes&QUERY_LAYERS=lakes&FEATURE_COUNT=10&INFO_FORMAT=text/xml&SRS=EPSG:4326&FILTER=lakes:"NAME" = 'ZUGER SEE'

Response:

<ServiceExceptionReport version="1.3.0">
  <ServiceException code="Filter string rejected">
    The filter string "NAME" = 'ZUGER SEE' has been rejected because of security reasons.
    Note: Text strings have to be enclosed in single or double quotes. A space between each word / special character is mandatory.
    Allowed Keywords and special characters are AND,OR,IN,<,>=,>,>=,!=,',',(,). Not allowed are semicolons in the filter expression.
  </ServiceException>
</ServiceExceptionReport>

Spaces in the filter attribute as well as the filter value are rejected.

History

#1 Updated by Giovanni Manghi over 13 years ago

  • Target version set to Version 1.7.4

#2 Updated by Paolo Cavallini about 13 years ago

  • Crashes QGIS or corrupts data set to No
  • Target version changed from Version 1.7.4 to Version 1.8.0
  • Affected QGIS version set to master

#3 Updated by Paolo Cavallini over 12 years ago

  • Target version changed from Version 1.8.0 to Version 2.0.0

#4 Updated by Jürgen Fischer almost 11 years ago

  • Target version changed from Version 2.0.0 to Future Release - Lower Priority

#5 Updated by Giovanni Manghi almost 8 years ago

  • Regression? set to No
  • Easy fix? set to No

#6 Updated by Paul Blottiere over 6 years ago

  • Description updated (diff)

A unit test is now included in QGIS 2.18 and Master for this use case:

self.wms_request_compare('GetFeatureInfo',
                         '&layers=testlayer%20%C3%A8%C3%A9&' +
                         'INFO_FORMAT=text%2Fxml&' +
                         'width=600&height=400&srs=EPSG%3A3857&' +
                         'query_layers=testlayer%20%C3%A8%C3%A9&' +
                         'FEATURE_COUNT=10&FILTER=testlayer%20%C3%A8%C3%A9' + urllib.parse.quote(':"NAME" = \'two\' OR "utf8nameè" = \'three èé↓\''),
                         'wms_getfeatureinfo_filter_or_utf8')

with a space in the filter expression:

"utf8nameè" = \'three èé↓\'

#7 Updated by Paul Blottiere over 6 years ago

  • Status changed from Open to Closed

Also available in: Atom PDF