Hi David,
I let our security hacker goes nuts on a server I've been developing and
he came across this:
Description
-----------
the XPath criteria expression,
contains(.,translate('','','A','a'))
generates a null pointer exception in the following file,
FunctionContains::execute(...)
line: const XalanDOMString& str2 = arg2->str(executionContext);
Cause
-----
('','') The double single quotes surrounding the comma in the first
argument of the translate xpath function fails to get detected as a syntax
error.
How to reproduce
----------------
execute (using the sample project provided in XalanC):
SimpleXPathAPI.exe test-fs.xml root
/root/fs/row[contains(.,translate('','','A','a'))]
where the test-fs.xml contains the following xml:
<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
<root>
<fs>
<row>
<id>31</id>
<directory/>
<path>technical</path>
</row>
</fs>
</root>
Platform
--------
- WinXP
- MSVC++ 9.0 Pro Ed.
- XalanC 1.10 (trunk) Debug + Release versions
- compiled against XercesC 3.0
Consequences
------------
If web applications enable the user to enter XPath criteria's directly,
then it is possible to crash the server that executes the XPath
expression.
The band-aid patch for this is to scrutinize all client side input,
however, this can be easily overlooked in certain situations. A better
solution is to detect this issue in XalanC and throw an
xalanc::XalanXPathException.
Thank you for your support,
Hans Smit
PS: I'm very much looking forward to v1.11. Is there a date set? I've been
using the trunk v1.10 for the past year with no issues (expect for the one
described above). As far as I'm concerned - it's stable as a rock. Great
work!
