Changes between Version 4 and Version 5 of SecurityIssues

Timestamp:

Apr 12, 2014, 2:11:15 AM (10 years ago)

Author:

Even Rouault

Comment:

Mention HTTP

SecurityIssues

@@ -51 +51 @@
      * Drivers depending on third-party libraries whose code has been embedded in GDAL. Binary builds might rely on the internal version, or the external version. If using the internal version, they might use an obsolete version of the third-party library that might contain known vulnerabilities. Potentially concerned drivers are GTiff (libtiff, libgeotiff), PNG (libpng), GIF (giflib), JPEG (libjpeg), PCRaster (libcsf), GeoJSON (libjson-c), MapInfo File (MITAB lib), AVCBin/AVCE00 (AVCE00 lib). An internal version of ZLib is also contained in GDAL sources. Packagers of GDAL are recommanded to use the external version of the libraries when possible (might be impractical with libtiff due to the libtiff 4.X vs libtiff 3.X issue), so that security upgrades of those dependencies benefit to GDAL.
      * Drivers using GDALOpen() or OGROpen() internally cause other drivers to be used (and their possible flows exploited), without it being obvious at first sight. VRT, MBTiles, KMLSuperOverlay, RasterLite, PDF, RPFTOC, RS2, WMS, WCS, WFS, ... are such drivers.
-     * Drivers depending on downloaded data (WMS, WCS, WFS). A subset of the previously mentionned drivers, but where the hostile payload might come from the Web, so local inspection of content is not sufficient.
+     * Drivers depending on downloaded data (HTTP, WMS, WCS, WFS). A subset of the previously mentionned drivers, but where the hostile payload might come from the Web, so local inspection of content is not sufficient.
      * XML based drivers: might be subject to denial of service by [http://en.wikipedia.org/wiki/Billion_laughs billion laugh]-like attacks (though most OGR XML based drivers can detect such patterns).
      * SQL injections: services that would accept untrusted SQL requests could trigger SQL injection vulnerabilities in OGR database-based drivers.