On 05/03/2010 12:07 PM, Vincent Massol wrote:
>
> On Apr 30, 2010, at 3:56 PM, Caleb James DeLisle wrote:
>
>> We do and users should, but there is a function which allows script authors
>> to construct queries for document names
>> so they are allowed to finish an HQL query. If the script author is
>> malicious or if they don't properly use
>> prepared statements then SQL can be injected into the HQL.
>> see XWiki.searchDocuments
>> http://maven.xwiki.org/site/xwiki-core-parent/xwiki-core/apidocs/com/xpn/xwiki/api/XWiki.html#searchDocuments%28java.lang.String%29
>
> Actually Gregor might be right and we could decide to deprecate this method
> and recommend to use one which would take a varargs list of parameters, wdyt?
That still won't fix the problem, since the query can still hold
non-parameterized code. So, something like this would work:
searchDocuments(" where doc.name like ? and doc.space = 'Main'", ['X%'])
This will only encourage users (devs) to use parameterized queries, but
will still leave the security problem wide open.
>
>>
>> I hope this clears up exactly what the issue is.
>>
>> Caleb
>>
>>
>> Gregor Schneider wrote:
>>> Very simple question:
>>>
>>> Instead of manually playing cats& dogs (i.e. escaping backslashes) -
>>> why don't you just use PreparedStatements?
>>>
>>> Just a thought...
>>>
>>> Rgds
>>>
>>> Gregor
--
Sergiu Dumitriu
http://purl.org/net/sergiu/
_______________________________________________
users mailing list
users@xwiki.org
http://lists.xwiki.org/mailman/listinfo/users
