I'm pretty sure doc (' ') (i.e. doc (' ')) throws an invalid uri
exception on every version, if you need a test case.
-Mike
On 4/30/2014 12:09 PM, Michael Blakeley wrote:
> With 7.0-2.3 I'm having a hard time finding anything that fails: doc('tug%x')
> and doc('some.php?module=/path/with/badURI') and doc('!@#$%^&*()') and
> even doc('{') all work for me. It makes sense for fn:doc to be very
> permissive.
>
> Anyway I would just use try-catch. Performance should not be a problem, if
> you are worried about that. Any database lookup should be more expensive than
> a try-catch, and some simple tests confirm that.
>
> doc('a'), xdmp:elapsed-time()
> => PT0.000045S
>
> try { doc('a') }
> catch ($ex) { $ex },
> xdmp:elapsed-time()
> => PT0.000045S
>
> Profiling shows that the second expression is dominated by the call to
> fn:doc, which is what I'd expect.
>
> -- Mike
>
> On 30 Apr 2014, at 07:32 , David Sewell <[email protected]> wrote:
>
>> A rare 500 error showed up in our logfile recently that was the evident
>> result
>> of someone trying to mount an injection attack via URIs meant to pass code to
>> PHP. We have pretty solid handling of server-side errors so there's no real
>> security problem, but I'm a bit stumped as to how to tighten our calls to
>> fn:doc() to prevent them handling invalid URIs.
>>
>> Basically, the ErrorLog.txt error was similar to
>>
>> XDMP-URI: (err:FODC0005) fn:doc("some.php?module=/path/with/badURI") --
>> Invalid
>> URI format: "some.php?module=/path/with/badURI"
>>
>> where the argument to fn:doc() contained the attempted injection string.
>>
>> The specs for fn:doc($uri as xs:string?) say "if $uri is not a valid URI, an
>> error may be raised [err:FODC0005]." Clear enough, and I could just put a
>> try/catch around the call to fn:doc(). But what I'd rather do is to test for
>> URI
>> validity before passing the string to fn:doc() in the first place.
>>
>> I thought that testing along the lines of
>>
>> if ($string castable as xs:anyURI) then ....
>>
>> would do it, but that appears to return true no matter what string it
>> receives.
>> For example,
>>
>> "tug%x" castable as xs:anyURI
>>
>> returns true. (Saxon and BaseX return false--should MarkLogic?)
>>
>> Is there any alternative to try/catch here?
>>
>>
>>
>> --
>> David Sewell, Editorial and Technical Manager
>> ROTUNDA, The University of Virginia Press
>> PO Box 400314, Charlottesville, VA 22904-4314 USA
>> Email: [email protected] Tel: +1 434 924 9973
>> Web: http://rotunda.upress.virginia.edu/
>> _______________________________________________
>> General mailing list
>> [email protected]
>> http://developer.marklogic.com/mailman/listinfo/general
>>
> _______________________________________________
> General mailing list
> [email protected]
> http://developer.marklogic.com/mailman/listinfo/general
_______________________________________________
General mailing list
[email protected]
http://developer.marklogic.com/mailman/listinfo/general
