jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcel Reutegger <marcel.reuteg...@gmx.net>
Subject Re: Are XPath injections possible?
Date Tue, 26 Aug 2008 07:25:30 GMT
Hi Marc,

speaking of JSR 283... it will also allow you to create prepared queries with
variables that you can bind values to.

regards
 marcel

Marc Speck wrote:
> Hi Alex
> 
> Thanks for the quick response.
> 
> 1) JCR SQL and XPath are read-only (not DROP table attacks)
> 
> Indeed, that makes it much more secure.
> 
> 
>> 2) XPath syntax is much more specific, so you cannot easily add
>> another statement in an injection
> 
> "cannot easily add" is not very reassuring in a security context ;-)
> But taken 1), the worst thing that could happen is that the user gets more
> results. Providing ACL in jsr283 is going to work fine, the user has no
> access to hidden information.
> 
> 
>>
>> http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/util/Text.java?view=markup
> 
> Thanks for that, didn't know.
> 
> Marc
> 


Mime
View raw message