jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stefan Guggisberg" <stefan.guggisb...@gmail.com>
Subject Re: Security problem with QueryManager?
Date Fri, 06 Oct 2006 09:52:00 GMT
On 10/5/06, Ottinger, Joseph <jottinger@techtarget.com> wrote:
> I was playing around with JCR's query facility and realised something a little scary.
Perhaps I'm just ignorant, but... hey, that's why I email the list, right?
>
> When I build SQL queries, I do something like this: "select * from nt:unstructured where
foo='"+bar+"'";
>
> Oh, wait. If I was actually using JDBC, I'd *never* do this, because some fool out there
will try to set bar to something that will return more than I want it to return. To wit: bar
might equal "a' or 1=1" and lo, every node will be returned. Application error at best, exposure
of sensitive data at worst.
>
> Then I thought, well, hey, I have XPath, right? But in XPath, I can construct a query
the same way. Hello, security hole.
>
> Am I missing something?

well, unlike databases JCR *does* provide fine-grained access control, i.e. the
user will only get those results which he has read-access on.

cheers
stefan

>

Mime
View raw message