You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by "Jukka Zitting (JIRA)" <ji...@apache.org> on 2010/08/12 12:22:15 UTC
[jira] Created: (JCR-2709) Missing XPath escape in query.jsp
Missing XPath escape in query.jsp
---------------------------------
Key: JCR-2709
URL: https://issues.apache.org/jira/browse/JCR-2709
Project: Jackrabbit Content Repository
Issue Type: Bug
Components: jackrabbit-webapp
Affects Versions: 2.1.1
Reporter: Jukka Zitting
Priority: Minor
Fix For: 2.2.0
As reported by Canberk Bolat of ADEO Security in a private communication, there search.jsp script in jackrabbit-webapp is missing an escape when it injects the path of a "related:" query into the constructed XPath statement. Further analysis showed that this issue has no security implications, so we can treat this as a normal bug report.
search.jsp
...
String q = request.getParameter("q");
...
if (q != null && q.length() > 0) {
String stmt;
if (q.startsWith("related:")) {
String path = q.substring("related:".length());
stmt = "//element(*, nt:file)[rep:similar(jcr:content,
'" + path + "/jcr:content')]/rep:excerpt(.) order by @jcr:score
descending";
queryTerms = "similar to <b>" +
Text.encodeIllegalXMLCharacters(path) + "</b>";
}
...
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (JCR-2709) Missing XPath escape in query.jsp
Posted by "Douglas Jose (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-2709?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Douglas Jose updated JCR-2709:
------------------------------
Attachment: jcr-2709.patch
Patch to fix the issue.
Escapes single quotes that may be present in a path to generate the "related:" query
> Missing XPath escape in query.jsp
> ---------------------------------
>
> Key: JCR-2709
> URL: https://issues.apache.org/jira/browse/JCR-2709
> Project: Jackrabbit Content Repository
> Issue Type: Bug
> Components: jackrabbit-webapp
> Affects Versions: 2.1.1
> Reporter: Jukka Zitting
> Priority: Minor
> Fix For: 2.2.0
>
> Attachments: jcr-2709.patch
>
>
> As reported by Canberk Bolat of ADEO Security in a private communication, there search.jsp script in jackrabbit-webapp is missing an escape when it injects the path of a "related:" query into the constructed XPath statement. Further analysis showed that this issue has no security implications, so we can treat this as a normal bug report.
> search.jsp
> ...
> String q = request.getParameter("q");
> ...
> if (q != null && q.length() > 0) {
> String stmt;
> if (q.startsWith("related:")) {
> String path = q.substring("related:".length());
> stmt = "//element(*, nt:file)[rep:similar(jcr:content,
> '" + path + "/jcr:content')]/rep:excerpt(.) order by @jcr:score
> descending";
> queryTerms = "similar to <b>" +
> Text.encodeIllegalXMLCharacters(path) + "</b>";
> }
> ...
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.