The problem is much less critical in Jackrabbit due to the following reasons:
1) JCR SQL and XPath are read-only (not DROP table attacks) 2) XPath syntax is much more specific, so you cannot easily add another statement in an injection (mostly you will have variable replacement only inside predicates) 3) Mostly you will use the JCR API to look up things and use queries more for full-text searches (I know, this one is not a good argument, but at least this describes the typical JCR usage ;-)) The jackrabbit-jcr-commons jar contains some helper classes for escaping and converting, eg. org.apache.jackrabbit.util.Text with escape()/unescape() of JCR names (to get valid node names): http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/util/Text.java?view=markup Not sure where to find other kinds of Xpath escaping... Regards, Alex On Mon, Aug 25, 2008 at 9:41 AM, Marc Speck <[EMAIL PROTECTED]> wrote: > I'm not an expert for XPath (in Jackrabbit) but taken the nature of SQL > injections, I suspect that similar attacks in XPath are possible? I've just > browsed org.apache.jackrabbit.commons.query.GQL and saw in parse() that you > escape [, !, etc. Is there an escape method for user generated queries in > Jackrabbit or do you recommend to use GQL once it's out? > > Thanks, > Marc > -- Alexander Klimetschek [EMAIL PROTECTED]
