On 05/03/2010 12:07 PM, Vincent Massol wrote:
On Apr 30, 2010, at 3:56 PM, Caleb James DeLisle wrote:
We do and users should, but there is a function
which allows script authors to construct queries for document names
so they are allowed to finish an HQL query. If the script author is malicious or if they
don't properly use
prepared statements then SQL can be injected into the HQL.
see XWiki.searchDocuments
http://maven.xwiki.org/site/xwiki-core-parent/xwiki-core/apidocs/com/xpn/xw…
Actually Gregor might be right and we could decide to deprecate this method and recommend
to use one which would take a varargs list of parameters, wdyt?
That still won't fix the problem, since the query can still hold
non-parameterized code. So, something like this would work:
searchDocuments(" where doc.name like ? and doc.space = 'Main'",
['X%'])
This will only encourage users (devs) to use parameterized queries, but
will still leave the security problem wide open.
>
> I hope this clears up exactly what the issue is.
>
> Caleb
>
>
> Gregor Schneider wrote:
>> Very simple question:
>>
>> Instead of manually playing cats& dogs (i.e. escaping backslashes) -
>> why don't you just use PreparedStatements?
>>
>> Just a thought...
>>
>> Rgds
>>
>> Gregor
--
Sergiu Dumitriu
http://purl.org/net/sergiu/