[jira] Created: (XALANC-684) XPath single quote-comma bug

Mon, 17 Nov 2008 11:34:42 -0800 

XPath single quote-comma bug
----------------------------

                 Key: XALANC-684
                 URL: https://issues.apache.org/jira/browse/XALANC-684
             Project: XalanC
          Issue Type: Bug
          Components: XalanC
    Affects Versions: 1.10
         Environment: all
            Reporter: Hans Smit
            Priority: Minor


Hi David,

I let our security hacker goes nuts on a server I've been developing and
he came across this:

Description
-----------
the XPath criteria expression,

contains(.,translate('','','A','a'))

generates a null pointer exception in the following file,

FunctionContains::execute(...)
line:    const XalanDOMString&   str2 = arg2->str(executionContext);


Cause
-----
('','') The double single quotes surrounding the comma in the first
argument of the translate xpath function fails to get detected as a syntax
error.

David Bertoni writes> Actually, this should be interpreted as a function call 
with 4 
arguments.  It turns out there's a bug with reporting errors using the 
default implementation of the error reporting mechanism.


How to reproduce
----------------
execute (using the sample project provided in XalanC):
SimpleXPathAPI.exe test-fs.xml root
/root/fs/row[contains(.,translate('','','A','a'))]

where the test-fs.xml contains the following xml:
<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
<root>
  <fs>
    <row>
      <id>31</id>
      <directory/>
      <path>technical</path>
    </row>
  </fs>
</root>


Platform
--------
- WinXP
- MSVC++ 9.0 Pro Ed.
- XalanC 1.10 (trunk) Debug + Release versions
- compiled against XercesC 3.0

Consequences
------------
If web applications enable the user to enter XPath criteria's directly,
then it is possible to crash the server that executes the XPath
expression.
The band-aid patch for this is to scrutinize all client side input,
however, this can be easily overlooked in certain situations. A better
solution is to detect this issue in XalanC and throw an
xalanc::XalanXPathException.

David Bertoni writes>This is what should happen.  It works fine within a 
stylesheet, because 
the execution context correctly reports the errors


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to