Description: Fix potential SQL Injection with postgis TIME filters.
Origin: https://github.com/mapserver/mapserver/commit/3f0ee57b12d482e0ff5611d05afd32408949f7f9
Author: Even Rouault <even.rouault@mines-paris.org>
Bug: https://github.com/mapserver/mapserver/issues/4834
Bug-Debian: http://bugs.debian.org/734565
Last-Update: 2013-01-08
--- a/mappostgis.c
+++ b/mappostgis.c
@@ -2961,6 +2961,11 @@ int msPostGISLayerSetTimeFilter(layerObj
     if (!lp || !timestring || !timefield)
       return MS_FALSE;
 
+    if( strchr(timestring,'\'') || strchr(timestring, '\\') ) {
+       msSetError(MS_MISCERR, "Invalid time filter.", "msPostGISLayerSetTimeFilter()");
+       return MS_FALSE;
+    }
+
     if (strstr(timestring, ",") == NULL && 
         strstr(timestring, "/") == NULL) /* discrete time */
       tmpstimestring = msStrdup(timestring);
