On May 3, 2010, at 12:34 PM, Sergiu Dumitriu wrote: > On 05/03/2010 12:07 PM, Vincent Massol wrote: >> >> On Apr 30, 2010, at 3:56 PM, Caleb James DeLisle wrote: >> >>> We do and users should, but there is a function which allows script authors >>> to construct queries for document names >>> so they are allowed to finish an HQL query. If the script author is >>> malicious or if they don't properly use >>> prepared statements then SQL can be injected into the HQL. >>> see XWiki.searchDocuments >>> http://maven.xwiki.org/site/xwiki-core-parent/xwiki-core/apidocs/com/xpn/xwiki/api/XWiki.html#searchDocuments%28java.lang.String%29 >> >> Actually Gregor might be right and we could decide to deprecate this method >> and recommend to use one which would take a varargs list of parameters, wdyt? > > That still won't fix the problem, since the query can still hold > non-parameterized code. So, something like this would work: > > searchDocuments(" where doc.name like ? and doc.space = 'Main'", ['X%']) > > This will only encourage users (devs) to use parameterized queries, but > will still leave the security problem wide open.
Yes but then we could also escape the quote characters... ;) We would have a backward compat issue to handle though but that's doable with some security setting for ex. -Vincent >>> I hope this clears up exactly what the issue is. >>> >>> Caleb >>> >>> >>> Gregor Schneider wrote: >>>> Very simple question: >>>> >>>> Instead of manually playing cats& dogs (i.e. escaping backslashes) - >>>> why don't you just use PreparedStatements? >>>> >>>> Just a thought... >>>> >>>> Rgds >>>> >>>> Gregor _______________________________________________ users mailing list [email protected] http://lists.xwiki.org/mailman/listinfo/users
