3 May
2010
3 May
'10
1:14 p.m.
On May 3, 2010, at 12:34 PM, Sergiu Dumitriu wrote:
On 05/03/2010 12:07 PM, Vincent Massol wrote:
Yes but then we could also escape the quote characters... ;)
We would have a backward compat issue to handle though but that's doable with some
security setting for ex.
-Vincent
On Apr 30, 2010, at 3:56 PM, Caleb James DeLisle wrote:
That still won't fix the problem, since the query can still hold
non-parameterized code. So, something like this would work:
searchDocuments(" where doc.name like ? and doc.space = 'Main'",
['X%'])
This will only encourage users (devs) to use parameterized queries, but
will still leave the security problem wide open. We do and users should, but there is a function
which allows script authors to construct queries for document names
so they are allowed to finish an HQL query. If the script author is malicious or if they
don't properly use
prepared statements then SQL can be injected into the HQL.
see XWiki.searchDocuments
http://maven.xwiki.org/site/xwiki-core-parent/xwiki-core/apidocs/com/xpn/xw…
Actually Gregor might be right and we could decide to deprecate this method and recommend
to use one which would take a varargs list of parameters, wdyt? >> I hope this clears up exactly what the issue
is.
>>
>> Caleb
>>
>>
>> Gregor Schneider wrote:
>>> Very simple question:
>>>
>>> Instead of manually playing cats& dogs (i.e. escaping backslashes) -
>>> why don't you just use PreparedStatements?
>>>
>>> Just a thought...
>>>
>>> Rgds
>>>
>>> Gregor