From 3757afe8fcd7debd7cb147023d0ee8c60a4290b5 Mon Sep 17 00:00:00 2001 From: Even Rouault Date: Sat, 20 Jun 2026 17:04:07 +0200 Subject: [PATCH] msMySQLJoinNext(): prevent SQL injection Fixes https://github.com/MapServer/MapServer/security/advisories/GHSA-7624-4mwh-9cxr Funded by RGD Savoie Mont-Blanc --- src/mapjoin.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/src/mapjoin.c b/src/mapjoin.c index bc3a7643b3..6fcace274b 100644 --- a/src/mapjoin.c +++ b/src/mapjoin.c @@ -808,8 +808,22 @@ int msMySQLJoinNext(joinObj *join) { /* if(strcmp(joininfo->target, msMySQLReadStringAttribute(joininfo->conn, i, * joininfo->toindex)) == 0) break; */ /* } */ - snprintf(qbuf, sizeof(qbuf), "SELECT * FROM %s WHERE %s = %s", join->table, - joininfo->tocolumn, joininfo->target); + + char *endptr = NULL; + (void)strtoll(joininfo->target, &endptr, 10); + if (endptr != joininfo->target + strlen(joininfo->target)) { + msSetError(MS_JOINERR, + "Non-numeric value in MySQL JOIN colunn not supported.", + "msMySQLJoinNext()"); + return (MS_FAILURE); + } + + char *escapedTableName = msReplaceSubstring(join->table, "`", "``"); + char *escapedToColumn = msReplaceSubstring(joininfo->tocolumn, "`", "``"); + snprintf(qbuf, sizeof(qbuf), "SELECT * FROM `%s` WHERE `%s` = %s", + escapedTableName, escapedToColumn, joininfo->target); + msFree(escapedTableName); + msFree(escapedToColumn); MYDEBUG printf("%s
\n", qbuf); if ((joininfo->qresult = msMySQLQuery(qbuf, joininfo->conn))) { /* There were some rows found,