jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marc Speck" <marcsp...@gmail.com>
Subject Re: Are XPath injections possible?
Date Tue, 26 Aug 2008 11:07:58 GMT
> speaking of JSR 283... it will also allow you to create prepared queries
> with
> variables that you can bind values to.

Thank's for the pointer, I didn't know.

> >> 2) XPath syntax is much more specific, so you cannot easily add
> >> another statement in an injection
> >
> > "cannot easily add" is not very reassuring in a security context ;-)
I actually meant "cannot add" ;-) An Xpath query is one single query only.

Yeah, I thought that you wanted to say that...

> > But taken 1), the worst thing that could happen is that the user gets
> more
> > results. Providing ACL in jsr283 is going to work fine, the user has no
> > access to hidden information.
> Correct. Although you could have that with JCR 1.0 alredy, too. You
> would "just" have to implement access control restrictions in
> Jackrabbit (write an AccessManager). It is already proven in a
> commercial JCR repository (CRX).

Implementing such a basic security component makes me somewhat nervous. As
far as I know, there is already a first implementation in the trunk. I can
wait for that and go from there.

Thanks for all the comments,

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message