Opened 2 months ago
Last modified 5 weeks ago
#5697 new defect
fix or document id escaping for ST_EstimatedExtent params — at Initial Version
| Reported by: | Yuri | Owned by: | pramsey |
|---|---|---|---|
| Priority: | medium | Milestone: | PostGIS 3.4.3 |
| Component: | postgis | Version: | 3.4.x |
| Keywords: | Cc: |
Description
Function ST_EstimatedExtent - https://postgis.net/docs/ST_EstimatedExtent.html has an usual param pattern - it requires schema, table, and geometry columns to be strings in some uncertain escaping - later it gets used directly without quotes in an internal schema/table identity lookup. (uncertain)
As the result, it is not clear what escaping is needed in "complex" cases. Moreover, I suspect there might be a security bug here too, but not certain.
I could not get this function to run for this (convoluted) case.
CREATE SCHEMA """Quotes' and Space.Dot.";
CREATE TABLE """Quotes' and Space.Dot.".". Points"" 'quote"
(
"' id '" SERIAL PRIMARY KEY,
".namE " TEXT,
". '""Geom""" GEOMETRY(POINT, 4326)
);
INSERT INTO """Quotes' and Space.Dot.".". Points"" 'quote"
values (1, '02daedc70702ec68753fde38351f5d9d', '0101000020E610000050C4D38CE9DA61401EFC0EC7C3DA2740'),
(2, '7418427ba8a960c3661235f47cc13d46', '0101000020E6100000CC2F4170E9DA6140DEDB02B581DA2740');
CREATE INDEX ON """Quotes' and Space.Dot.".". Points"" 'quote" USING GIST (". '""Geom""");
SELECT ST_EstimatedExtent(?, ?, ?) as bounds;
Note:
See TracTickets
for help on using tickets.
