You are viewing a plain text version of this content. The canonical link for it is here.
Posted to c-users@xalan.apache.org by Hans Smit <jc...@xs4all.nl> on 2008/11/17 16:37:02 UTC
Possible XPath single quote-comma bug
Hi David,
I let our security hacker goes nuts on a server I've been developing and
he came across this:
Description
-----------
the XPath criteria expression,
contains(.,translate('','','A','a'))
generates a null pointer exception in the following file,
FunctionContains::execute(...)
line: const XalanDOMString& str2 = arg2->str(executionContext);
Cause
-----
('','') The double single quotes surrounding the comma in the first
argument of the translate xpath function fails to get detected as a syntax
error.
How to reproduce
----------------
execute (using the sample project provided in XalanC):
SimpleXPathAPI.exe test-fs.xml root
/root/fs/row[contains(.,translate('','','A','a'))]
where the test-fs.xml contains the following xml:
<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
<root>
<fs>
<row>
<id>31</id>
<directory/>
<path>technical</path>
</row>
</fs>
</root>
Platform
--------
- WinXP
- MSVC++ 9.0 Pro Ed.
- XalanC 1.10 (trunk) Debug + Release versions
- compiled against XercesC 3.0
Consequences
------------
If web applications enable the user to enter XPath criteria's directly,
then it is possible to crash the server that executes the XPath
expression.
The band-aid patch for this is to scrutinize all client side input,
however, this can be easily overlooked in certain situations. A better
solution is to detect this issue in XalanC and throw an
xalanc::XalanXPathException.
Thank you for your support,
Hans Smit
PS: I'm very much looking forward to v1.11. Is there a date set? I've been
using the trunk v1.10 for the past year with no issues (expect for the one
described above). As far as I'm concerned - it's stable as a rock. Great
work!
Re: Possible XPath single quote-comma bug
Posted by David Bertoni <db...@apache.org>.
Hans Smit wrote:
> Hi David,
>
> I let our security hacker goes nuts on a server I've been developing and
> he came across this:
>
> Description
> -----------
> the XPath criteria expression,
>
> contains(.,translate('','','A','a'))
>
> generates a null pointer exception in the following file,
>
> FunctionContains::execute(...)
> line: const XalanDOMString& str2 = arg2->str(executionContext);
>
>
> Cause
> -----
> ('','') The double single quotes surrounding the comma in the first
> argument of the translate xpath function fails to get detected as a syntax
> error.
Actually, this should be interpreted as a function call with 4
arguments. It turns out there's a bug with reporting errors using the
default implementation of the error reporting mechanism.
>
> How to reproduce
> ----------------
> execute (using the sample project provided in XalanC):
> SimpleXPathAPI.exe test-fs.xml root
> /root/fs/row[contains(.,translate('','','A','a'))]
>
> where the test-fs.xml contains the following xml:
> <?xml version="1.0" encoding="UTF-8" standalone="no" ?>
> <root>
> <fs>
> <row>
> <id>31</id>
> <directory/>
> <path>technical</path>
> </row>
> </fs>
> </root>
>
>
> Platform
> --------
> - WinXP
> - MSVC++ 9.0 Pro Ed.
> - XalanC 1.10 (trunk) Debug + Release versions
> - compiled against XercesC 3.0
>
> Consequences
> ------------
> If web applications enable the user to enter XPath criteria's directly,
> then it is possible to crash the server that executes the XPath
> expression.
> The band-aid patch for this is to scrutinize all client side input,
> however, this can be easily overlooked in certain situations. A better
> solution is to detect this issue in XalanC and throw an
> xalanc::XalanXPathException.
This is what should happen. It works fine within a stylesheet, because
the execution context correctly reports the errors. Please create a
Jira issue and attach the XML file:
http://issues.apache.org/jira/browse/XALANC
>
>
> Thank you for your support,
>
> Hans Smit
>
> PS: I'm very much looking forward to v1.11. Is there a date set? I've been
> using the trunk v1.10 for the past year with no issues (expect for the one
> described above). As far as I'm concerned - it's stable as a rock. Great
> work!
I'm pretty much winding down code changes now. The only thing I've been
working on is stabilizing some of the less popular ports. If nothing
major pops up, I will try to get the release out by the end of the year.
Dave