Return-Path: Delivered-To: apmail-jackrabbit-users-archive@locus.apache.org Received: (qmail 17018 invoked from network); 26 Aug 2008 08:56:16 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 26 Aug 2008 08:56:16 -0000 Received: (qmail 92011 invoked by uid 500); 26 Aug 2008 08:56:13 -0000 Delivered-To: apmail-jackrabbit-users-archive@jackrabbit.apache.org Received: (qmail 92001 invoked by uid 500); 26 Aug 2008 08:56:13 -0000 Mailing-List: contact users-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@jackrabbit.apache.org Delivered-To: mailing list users@jackrabbit.apache.org Received: (qmail 91990 invoked by uid 99); 26 Aug 2008 08:56:13 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 26 Aug 2008 01:56:13 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of aklimets@day.com designates 207.126.148.182 as permitted sender) Received: from [207.126.148.182] (HELO eu3sys201aog002.obsmtp.com) (207.126.148.182) by apache.org (qpsmtpd/0.29) with SMTP; Tue, 26 Aug 2008 08:55:15 +0000 Received: from source ([209.85.198.230]) by eu3sys201aob002.postini.com ([207.126.154.11]) with SMTP; Tue, 26 Aug 2008 08:55:41 UTC Received: by rv-out-0506.google.com with SMTP id b25so3112426rvf.43 for ; Tue, 26 Aug 2008 01:55:40 -0700 (PDT) Received: by 10.141.180.11 with SMTP id h11mr2668666rvp.158.1219739140113; Tue, 26 Aug 2008 01:25:40 -0700 (PDT) Received: by 10.141.128.14 with HTTP; Tue, 26 Aug 2008 01:25:40 -0700 (PDT) Message-ID: Date: Tue, 26 Aug 2008 10:25:40 +0200 From: "Alexander Klimetschek" To: users@jackrabbit.apache.org Subject: Re: Are XPath injections possible? In-Reply-To: <6aaad09c0808250751s70181f4h98dc2d6106819010@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <6aaad09c0808250034y15f688a2g2e7d9b09fd9c8288@mail.gmail.com> <6aaad09c0808250041p591fea0em918c8894446e8721@mail.gmail.com> <6aaad09c0808250751s70181f4h98dc2d6106819010@mail.gmail.com> X-Virus-Checked: Checked by ClamAV on apache.org On Mon, Aug 25, 2008 at 4:51 PM, Marc Speck wrote: >> 2) XPath syntax is much more specific, so you cannot easily add >> another statement in an injection > > "cannot easily add" is not very reassuring in a security context ;-) I actually meant "cannot add" ;-) An Xpath query is one single query only. > But taken 1), the worst thing that could happen is that the user gets more > results. Providing ACL in jsr283 is going to work fine, the user has no > access to hidden information. Correct. Although you could have that with JCR 1.0 alredy, too. You would "just" have to implement access control restrictions in Jackrabbit (write an AccessManager). It is already proven in a commercial JCR repository (CRX). Regards, Alex -- Alexander Klimetschek alexander.klimetschek@day.com