Relaxing Spatialite Security to load XML from external file-system files
423 views
Skip to first unread message
Melanie Riley
Apr 1, 2014, 11:53:38 AM4/1/14
to spatiali...@googlegroups.com
OK so I'm a little new to SpatiaLite, but not so new to geodatabases. I want to add some SLD files to my SpatiaLite databases
and I can create the tables fine with the CreateStylingTables function, but hit a wall when I get to the part where I need to
relax the security settings to use the XB_LoadXML function. The tutorial says to do the following:
export "SPATIALITE_SECURITY=relaxed"
So I did --within the Spatialite GUI, at the spatialite command prompt window....with no luck. It does not acknowledge
"export" as any proper syntax. Where can I change this setting?
I guess the second question is why would I want to change security settings to open the database to hacking (high likelyhood that
I would forget to 'unrelax' the security) - is there another way to read in an XMLBlob from within the database?
I imported the SLD files using the Import XML Documents tool and there sits a nice table with my SLD's all imported and
validated as legit XMLBlob files. BUT there was a warning in the tutorial not to use UPDATE or INSERT queries to populate
the SE_vector_style_layers table, so just populating the style column with the BLOB 'XML_Documents' column would not be ok?
Is there an ok way to populate the style column with this other column without causing any potential issues?
a.fu...@lqt.it
Apr 1, 2014, 12:58:14 PM4/1/14
to spatiali...@googlegroups.com
On Tue, 1 Apr 2014 08:53:38 -0700 (PDT), Melanie Riley wrote:
> export "SPATIALITE_SECURITY=relaxed"
>
> So I did --within the Spatialite GUI, at the spatialite command
> prompt
> window....with no luck. It does not acknowledge
> "export" as any proper syntax. Where can I change this setting?
>
Hi Melanie,
> export "SPATIALITE_SECURITY=relaxed"
>
> So I did --within the Spatialite GUI, at the spatialite command
> prompt
> window....with no luck. It does not acknowledge
> "export" as any proper syntax. Where can I change this setting?
>
sorry, but the above syntax is merely intended for "sane minded"
systems supporting POSIX standards: e.g. Unix, Linux, MacOsX,
Android, FreeBSD, NetBSD (and many, many others)
if you are using instead some different operating system you'll
be probably required to consult the appropriate platform
documentation supporting your specific o.s./version.
You've missed to specify which platform you are currently using:
anyway my educated guess is that the following references could
eventually help you:
http://technet.microsoft.com/en-us/library/bb490998.aspx
http://en.wikipedia.org/wiki/Environment_variable
> Is there an ok way to populate the style column with this other
> column
> without causing any potential issues?
>
A) any SQL function allowing to directly exchange an external file
from / to the DB and the local file-system could eventually imply
a serious security risk.
a malicious SQL script (or even more dangerous: a forged trigger)
could easily exploit such a vulnerability so to install a virus
or a trojan. or alternatively the same mechanism could be
successfully deployed so to steal reserved and sensible data.
B) anyway directly importing / exporting external files from
the DB and the local file-system is a very useful option
in many different cases: e.g. this exactly is the case of
XB_LoadXML and XB_StoreXML
in other worlds: if you explicitly invoke these functions
for any good reason this doesn't implies any possible
security risk.
but leaving function like these intentionally available
without any restriction could eventually open seriously
dangerous security pitfalls.
C) accordingly to all this, any SQL function posing even vaguely
potential security issues will always be kept disabled.
unless the user gives an explicit "informed consent" thus
allowing to temporarily relax the standard security rules.
using an external environment variable is the most simple
way to implement all this.
environment variables are rather easy to be handled, are
universally supported on any possible platform I know, and
are definitely well out-of-reach of any possible malicious
attack strategy.
bye Sandro
Melanie Riley
Apr 1, 2014, 1:31:09 PM4/1/14
to spatiali...@googlegroups.com
Thank-you Sandro. And yes, I am not using a sane-minded OS - I am stuck with Windows;)
--
You received this message because you are subscribed to a topic in the Google Groups "SpatiaLite Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/spatialite-users/D8jXYQEfYlw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to spatialite-users+unsubscribe@googlegroups.com.
To post to this group, send email to spatialite-users@googlegroups.com.
Visit this group at http://groups.google.com/group/spatialite-users.
For more options, visit https://groups.google.com/d/optout.
Jukka Rahkonen
Apr 1, 2014, 1:43:04 PM4/1/14
to spatiali...@googlegroups.com
Melanie Riley wrote:
> Thank-you Sandro. And yes, I am not using a sane-minded OS - I am
> stuck with Windows;)
Hi,
> Thank-you Sandro. And yes, I am not using a sane-minded OS - I am
> stuck with Windows;)
Then you can open Windows command window, go to the directory where your
spatialite-gui.exe is and give command
SET SPATIALITE_SECURITY=relaxed
Then start spatialite-gui from the same window with command
spatialite-gui
Now it should be relaxed for importing your XML.
-Jukka Rahkonen-
Melanie Riley
Apr 1, 2014, 2:31:34 PM4/1/14
to spatiali...@googlegroups.com
Yes, it is behaving quite nicely now, thank-you!
Reply all
Reply to author
Forward
0 new messages