3 May
2010
3 May
'10
12:33 p.m.
Vincent Massol wrote:
On Apr 30, 2010, at 3:56 PM, Caleb James DeLisle
wrote:
When there are no user supplied parameters the "bad" method is fine eg:
$searchDocuments("where doc.space='Main'")
Also a script author can still make a mistake with the "good" method and not
parametrize enough eg:
$searchDocuments("where doc.space='" + $userInput + "' and
doc.name=?", [$moreUserInput])
Of course the advisory is considering the possibility of a malicious script author who
could exploit either method.
A good long term answer would be to make the query be written in type safe java where the
code always knows what
needs to be parametrized.
This is an interesting project:
http://source.mysema.com/static/querydsl/latest/reference/html/ch02s04.html
Caleb
We do and users should, but there is a function
which allows script authors to construct queries for document names
so they are allowed to finish an HQL query. If the script author is malicious or if they
don't properly use
prepared statements then SQL can be injected into the HQL.
see XWiki.searchDocuments
http://maven.xwiki.org/site/xwiki-core-parent/xwiki-core/apidocs/com/xpn/xw…
Actually Gregor might be right and we could decide to deprecate this method and recommend
to use one which would take a varargs list of parameters, wdyt?
Thanks
-Vincent
I hope this clears up exactly what the issue is.
Caleb
Gregor Schneider wrote:
> Very simple question:
>
> Instead of manually playing cats & dogs (i.e. escaping backslashes) -
> why don't you just use PreparedStatements?
>
> Just a thought...
>
> Rgds
>
> Gregor
_______________________________________________
users mailing list
users(a)xwiki.org
http://lists.xwiki.org/mailman/listinfo/users