With 7.0-2.3 I'm having a hard time finding anything that fails: doc('tug%x')
and doc('some.php?module=/path/with/badURI') and doc('!@#$%^&*()') and even
doc('{') all work for me. It makes sense for fn:doc to be very permissive.
Anyway I would just use try-catch. Performance should not be a problem, if you
are worried about that. Any database lookup should be more expensive than a
try-catch, and some simple tests confirm that.
doc('a'), xdmp:elapsed-time()
=> PT0.000045S
try { doc('a') }
catch ($ex) { $ex },
xdmp:elapsed-time()
=> PT0.000045S
Profiling shows that the second expression is dominated by the call to fn:doc,
which is what I'd expect.
-- Mike
On 30 Apr 2014, at 07:32 , David Sewell <[email protected]> wrote:
> A rare 500 error showed up in our logfile recently that was the evident
> result
> of someone trying to mount an injection attack via URIs meant to pass code to
> PHP. We have pretty solid handling of server-side errors so there's no real
> security problem, but I'm a bit stumped as to how to tighten our calls to
> fn:doc() to prevent them handling invalid URIs.
>
> Basically, the ErrorLog.txt error was similar to
>
> XDMP-URI: (err:FODC0005) fn:doc("some.php?module=/path/with/badURI") --
> Invalid
> URI format: "some.php?module=/path/with/badURI"
>
> where the argument to fn:doc() contained the attempted injection string.
>
> The specs for fn:doc($uri as xs:string?) say "if $uri is not a valid URI, an
> error may be raised [err:FODC0005]." Clear enough, and I could just put a
> try/catch around the call to fn:doc(). But what I'd rather do is to test for
> URI
> validity before passing the string to fn:doc() in the first place.
>
> I thought that testing along the lines of
>
> if ($string castable as xs:anyURI) then ....
>
> would do it, but that appears to return true no matter what string it
> receives.
> For example,
>
> "tug%x" castable as xs:anyURI
>
> returns true. (Saxon and BaseX return false--should MarkLogic?)
>
> Is there any alternative to try/catch here?
>
>
>
> --
> David Sewell, Editorial and Technical Manager
> ROTUNDA, The University of Virginia Press
> PO Box 400314, Charlottesville, VA 22904-4314 USA
> Email: [email protected] Tel: +1 434 924 9973
> Web: http://rotunda.upress.virginia.edu/
> _______________________________________________
> General mailing list
> [email protected]
> http://developer.marklogic.com/mailman/listinfo/general
>
_______________________________________________
General mailing list
[email protected]
http://developer.marklogic.com/mailman/listinfo/general
