jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexander Klimetschek" <aklim...@day.com>
Subject Re: Are XPath injections possible?
Date Tue, 26 Aug 2008 08:25:40 GMT
On Mon, Aug 25, 2008 at 4:51 PM, Marc Speck <marcspeck@gmail.com> wrote:
>> 2) XPath syntax is much more specific, so you cannot easily add
>> another statement in an injection
>
> "cannot easily add" is not very reassuring in a security context ;-)

I actually meant "cannot add" ;-) An Xpath query is one single query only.

> But taken 1), the worst thing that could happen is that the user gets more
> results. Providing ACL in jsr283 is going to work fine, the user has no
> access to hidden information.

Correct. Although you could have that with JCR 1.0 alredy, too. You
would "just" have to implement access control restrictions in
Jackrabbit (write an AccessManager). It is already proven in a
commercial JCR repository (CRX).

Regards,
Alex

-- 
Alexander Klimetschek
alexander.klimetschek@day.com

Mime
View raw message