On 05/03/2010 12:07 PM, Vincent Massol wrote: > > On Apr 30, 2010, at 3:56 PM, Caleb James DeLisle wrote: > >> We do and users should, but there is a function which allows script authors >> to construct queries for document names >> so they are allowed to finish an HQL query. If the script author is >> malicious or if they don't properly use >> prepared statements then SQL can be injected into the HQL. >> see XWiki.searchDocuments >> http://maven.xwiki.org/site/xwiki-core-parent/xwiki-core/apidocs/com/xpn/xwiki/api/XWiki.html#searchDocuments%28java.lang.String%29 > > Actually Gregor might be right and we could decide to deprecate this method > and recommend to use one which would take a varargs list of parameters, wdyt?
That still won't fix the problem, since the query can still hold non-parameterized code. So, something like this would work: searchDocuments(" where doc.name like ? and doc.space = 'Main'", ['X%']) This will only encourage users (devs) to use parameterized queries, but will still leave the security problem wide open. > >> >> I hope this clears up exactly what the issue is. >> >> Caleb >> >> >> Gregor Schneider wrote: >>> Very simple question: >>> >>> Instead of manually playing cats& dogs (i.e. escaping backslashes) - >>> why don't you just use PreparedStatements? >>> >>> Just a thought... >>> >>> Rgds >>> >>> Gregor -- Sergiu Dumitriu http://purl.org/net/sergiu/ _______________________________________________ users mailing list users@xwiki.org http://lists.xwiki.org/mailman/listinfo/users