cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lars Huttar" <>
Subject RE: esql: How to protect table/column name parameters from exploits?
Date Wed, 21 Jan 2004 16:09:49 GMT
On Cocoon Users list, Conal Tuohy wrote:
> Lars Huttar wrote:
> > HOWEVER...
> > if the request parameter is not to be used as a literal value
> > but as a table or column name, <esql:parameter> doesn't
> > work. E.g. in
> >   SELECT count(*) TOTAL FROM <xsp-request:get-parameter 
> name="table"/>
> >          where <xsp-request:get-parameter name="column" /> 
> is not null
> >
> > If I try to wrap the above <xsp-request:get-parameter> elements
> > with <esql:parameter> elements, the query fails.
> > If I treat the table parameter that way, I get an "invalid table name"
> > error. If I do that to the column parameter, the Select selects all
> > rows.
> > In other words, it's acting as though the table name or column name
> > were put in quotes.
> >
> > SO...
> > Given that the table name and column name could be vulnerable
> > to URL exploits, how do I protect them in esql?
> > Any suggestions?
> Do you really want users to be able to access any table? I 
> suggest probably not.

Hmm, good point. 

> You could use a Selector to check that the "table" parameter 
> falls into a
> set of allowed values.
> Or the WildcardRequestParameterMatcher which would allow you specify the
> list of tables as a single regular expression I believe (though I've not
> done this myself).

Thanks for the suggestions and the insight.
Come to think of it, some of the cases where table/column
names are passed as parameters could be done as internal-only pipelines.
But not all.
So we might have to do some pattern-matching as you suggested.

I *think* this is only an issue in our "sanity checks" utility
(checking that all the tables and columns have some data in them,
that sort of thing). So those particular XSP pages needn't be
part of the application when it goes into production.

Anyway, thanks again.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message