A rare 500 error showed up in our logfile recently that was the evident result
of someone trying to mount an injection attack via URIs meant to pass code to
PHP. We have pretty solid handling of server-side errors so there's no real
security problem, but I'm a bit stumped as to how to tighten our calls to
fn:doc() to prevent them handling invalid URIs.
Basically, the ErrorLog.txt error was similar to
XDMP-URI: (err:FODC0005) fn:doc("some.php?module=/path/with/badURI") -- Invalid
URI format: "some.php?module=/path/with/badURI"
where the argument to fn:doc() contained the attempted injection string.
The specs for fn:doc($uri as xs:string?) say "if $uri is not a valid URI, an
error may be raised [err:FODC0005]." Clear enough, and I could just put a
try/catch around the call to fn:doc(). But what I'd rather do is to test for
URI
validity before passing the string to fn:doc() in the first place.
I thought that testing along the lines of
if ($string castable as xs:anyURI) then ....
would do it, but that appears to return true no matter what string it receives.
For example,
"tug%x" castable as xs:anyURI
returns true. (Saxon and BaseX return false--should MarkLogic?)
Is there any alternative to try/catch here?
--
David Sewell, Editorial and Technical Manager
ROTUNDA, The University of Virginia Press
PO Box 400314, Charlottesville, VA 22904-4314 USA
Email: [email protected] Tel: +1 434 924 9973
Web: http://rotunda.upress.virginia.edu/
_______________________________________________
General mailing list
[email protected]
http://developer.marklogic.com/mailman/listinfo/general
