jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Marc Speck" <marcsp...@gmail.com>
Subject Re: Are XPath injections possible?
Date Tue, 26 Aug 2008 11:07:58 GMT
>
>
> speaking of JSR 283... it will also allow you to create prepared queries
> with
> variables that you can bind values to.
>

Thank's for the pointer, I didn't know.


> >> 2) XPath syntax is much more specific, so you cannot easily add
> >> another statement in an injection
> >
> > "cannot easily add" is not very reassuring in a security context ;-)
>
>
I actually meant "cannot add" ;-) An Xpath query is one single query only.


Yeah, I thought that you wanted to say that...



> > But taken 1), the worst thing that could happen is that the user gets
> more
> > results. Providing ACL in jsr283 is going to work fine, the user has no
> > access to hidden information.
>
>
> Correct. Although you could have that with JCR 1.0 alredy, too. You
> would "just" have to implement access control restrictions in
> Jackrabbit (write an AccessManager). It is already proven in a
> commercial JCR repository (CRX).
>

Implementing such a basic security component makes me somewhat nervous. As
far as I know, there is already a first implementation in the trunk. I can
wait for that and go from there.

Thanks for all the comments,
Marc

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message