jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Levy <l...@csl.sri.com>
Subject Re: Security problem with QueryManager?
Date Thu, 05 Oct 2006 16:51:45 GMT
Right, you need to make sure quotes are escaped.
I didn't find any existing statement preparation
libraries for XPath, but see
  http://www.nabble.com/Quote-escaping-in-jcr%3Acontains-searchexp-tf2287760.html#a6392098

Joshua


>You are missing the convenience of the PreparedStatement... you will 
>have to do your own data validation.
>
>Ottinger, Joseph wrote:
>> I was playing around with JCR's query facility and realised something a little scary.
Perhaps I'm just ignorant, but... hey, that's
> why I email the list, right?
>>  
>> When I build SQL queries, I do something like this: "select * from nt:unstructured
where foo='"+bar+"'";
>>  
>> Oh, wait. If I was actually using JDBC, I'd *never* do this, because some fool out
there will try to set bar to something that will
> return more than I want it to return. To wit: bar might equal "a' or 1=1" and lo, every
node will be returned. Application error at 
>best, exposure of sensitive data at worst.
>>  
>> Then I thought, well, hey, I have XPath, right? But in XPath, I can construct a query
the same way. Hello, security hole.
>>  
>> Am I missing something?
>>
>>   

Mime
View raw message