[
https://issues.apache.org/jira/browse/JENA-1497?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16386157#comment-16386157
]
ASF subversion and git services commented on JENA-1497:
-------------------------------------------------------
Commit 411c1031a0f51885f6966914c58202654614be13 in jena's branch
refs/heads/master from [~rvesse]
[ https://git-wip-us.apache.org/repos/asf?p=jena.git;h=411c103 ]
Fix delimiter parsing logic (JENA-1497)
Logical flaws in using continue vs break inside inner loops where
causing the wrong delimiter positions to be detected and leading to
false positives being reported for potential injection attacks. Fixing
the logic allows the user test case to pass.
> ParameterizedSparqlString detects delimiters incorrectly
> --------------------------------------------------------
>
> Key: JENA-1497
> URL: https://issues.apache.org/jira/browse/JENA-1497
> Project: Apache Jena
> Issue Type: Bug
> Components: ARQ
> Affects Versions: Jena 3.6.0
> Reporter: Rob Vesse
> Assignee: Rob Vesse
> Priority: Major
>
> As reported on the mailing list -
> [https://lists.apache.org/thread.html/3855aa8046cfea61433042655144f071c56baa7c5d61a78544730455@%3Cusers.jena.apache.org%3E|https://lists.apache.org/thread.html/3855aa8046cfea61433042655144f071c56baa7c5d61a78544730455@%3Cusers.jena.apache.org%3E]
> Investigation shows that the delimiter parsing logic has some flaws that
> causes it to do the wrong thing resulting in the possibility of incorrect
> detection of injection attacks leading to some valid SPARQL strings being
> rejected when attempting to inject parameters.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
