Vincent Massol wrote:
> On Apr 30, 2010, at 3:56 PM, Caleb James DeLisle wrote:
>
>> We do and users should, but there is a function which allows script authors
>> to construct queries for document names
>> so they are allowed to finish an HQL query. If the script author is
>> malicious or if they don't properly use
>> prepared statements then SQL can be injected into the HQL.
>> see XWiki.searchDocuments
>> http://maven.xwiki.org/site/xwiki-core-parent/xwiki-core/apidocs/com/xpn/xwiki/api/XWiki.html#searchDocuments%28java.lang.String%29
>
> Actually Gregor might be right and we could decide to deprecate this method
> and recommend to use one which would take a varargs list of parameters, wdyt?
When there are no user supplied parameters the "bad" method is fine eg:
$searchDocuments("where doc.space='Main'")
Also a script author can still make a mistake with the "good" method and not
parametrize enough eg:
$searchDocuments("where doc.space='" + $userInput + "' and doc.name=?",
[$moreUserInput])
Of course the advisory is considering the possibility of a malicious script
author who could exploit either method.
A good long term answer would be to make the query be written in type safe java
where the code always knows what
needs to be parametrized.
This is an interesting project:
http://source.mysema.com/static/querydsl/latest/reference/html/ch02s04.html
Caleb
>
> Thanks
> -Vincent
>
>> I hope this clears up exactly what the issue is.
>>
>> Caleb
>>
>>
>> Gregor Schneider wrote:
>>> Very simple question:
>>>
>>> Instead of manually playing cats & dogs (i.e. escaping backslashes) -
>>> why don't you just use PreparedStatements?
>>>
>>> Just a thought...
>>>
>>> Rgds
>>>
>>> Gregor
> _______________________________________________
> users mailing list
> [email protected]
> http://lists.xwiki.org/mailman/listinfo/users
>
_______________________________________________
users mailing list
[email protected]
http://lists.xwiki.org/mailman/listinfo/users
