You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jackrabbit.apache.org by "Jukka Zitting (JIRA)" <ji...@apache.org> on 2010/08/12 12:22:15 UTC

[jira] Created: (JCR-2709) Missing XPath escape in query.jsp

Missing XPath escape in query.jsp
---------------------------------

                 Key: JCR-2709
                 URL: https://issues.apache.org/jira/browse/JCR-2709
             Project: Jackrabbit Content Repository
          Issue Type: Bug
          Components: jackrabbit-webapp
    Affects Versions: 2.1.1
            Reporter: Jukka Zitting
            Priority: Minor
             Fix For: 2.2.0


As reported by Canberk Bolat of ADEO Security in a private communication, there search.jsp script in jackrabbit-webapp is missing an escape when it injects the path of a "related:" query into the constructed XPath statement. Further analysis showed that this issue has no security implications, so we can treat this as a normal bug report.

search.jsp
...
String q = request.getParameter("q");
...
      if (q != null && q.length() > 0) {
           String stmt;
           if (q.startsWith("related:")) {
               String path = q.substring("related:".length());
               stmt = "//element(*, nt:file)[rep:similar(jcr:content,
'" + path + "/jcr:content')]/rep:excerpt(.) order by @jcr:score
descending";
               queryTerms = "similar to <b>" +
Text.encodeIllegalXMLCharacters(path) + "</b>";
           }
...



-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (JCR-2709) Missing XPath escape in query.jsp

Posted by "Douglas Jose (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/JCR-2709?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Douglas Jose updated JCR-2709:
------------------------------

    Attachment: jcr-2709.patch

Patch to fix the issue.

Escapes single quotes that may be present in a path to generate the "related:" query

> Missing XPath escape in query.jsp
> ---------------------------------
>
>                 Key: JCR-2709
>                 URL: https://issues.apache.org/jira/browse/JCR-2709
>             Project: Jackrabbit Content Repository
>          Issue Type: Bug
>          Components: jackrabbit-webapp
>    Affects Versions: 2.1.1
>            Reporter: Jukka Zitting
>            Priority: Minor
>             Fix For: 2.2.0
>
>         Attachments: jcr-2709.patch
>
>
> As reported by Canberk Bolat of ADEO Security in a private communication, there search.jsp script in jackrabbit-webapp is missing an escape when it injects the path of a "related:" query into the constructed XPath statement. Further analysis showed that this issue has no security implications, so we can treat this as a normal bug report.
> search.jsp
> ...
> String q = request.getParameter("q");
> ...
>       if (q != null && q.length() > 0) {
>            String stmt;
>            if (q.startsWith("related:")) {
>                String path = q.substring("related:".length());
>                stmt = "//element(*, nt:file)[rep:similar(jcr:content,
> '" + path + "/jcr:content')]/rep:excerpt(.) order by @jcr:score
> descending";
>                queryTerms = "similar to <b>" +
> Text.encodeIllegalXMLCharacters(path) + "</b>";
>            }
> ...

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.