jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marc Speck" <marcsp...@gmail.com>
Subject Re: Are XPath injections possible?
Date Mon, 25 Aug 2008 14:51:56 GMT
Hi Alex

Thanks for the quick response.

1) JCR SQL and XPath are read-only (not DROP table attacks)

Indeed, that makes it much more secure.

> 2) XPath syntax is much more specific, so you cannot easily add
> another statement in an injection

"cannot easily add" is not very reassuring in a security context ;-)
But taken 1), the worst thing that could happen is that the user gets more
results. Providing ACL in jsr283 is going to work fine, the user has no
access to hidden information.

> http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/util/Text.java?view=markup

Thanks for that, didn't know.


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message