Possible XPath single quote-comma bug

[Hans Smit <jc...@xs4all.nl>]

Hi David,

I let our security hacker goes nuts on a server I've been developing and
he came across this:

Description
-----------
the XPath criteria expression,

contains(.,translate('','','A','a'))

generates a null pointer exception in the following file,

FunctionContains::execute(...)
line:    const XalanDOMString&   str2 = arg2->str(executionContext);


Cause
-----
('','') The double single quotes surrounding the comma in the first
argument of the translate xpath function fails to get detected as a syntax
error.


How to reproduce
----------------
execute (using the sample project provided in XalanC):
SimpleXPathAPI.exe test-fs.xml root
/root/fs/row[contains(.,translate('','','A','a'))]

where the test-fs.xml contains the following xml:
<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
<root>
  <fs>
    <row>
      <id>31</id>
      <directory/>
      <path>technical</path>
    </row>
  </fs>
</root>


Platform
--------
- WinXP
- MSVC++ 9.0 Pro Ed.
- XalanC 1.10 (trunk) Debug + Release versions
- compiled against XercesC 3.0

Consequences
------------
If web applications enable the user to enter XPath criteria's directly,
then it is possible to crash the server that executes the XPath
expression.
The band-aid patch for this is to scrutinize all client side input,
however, this can be easily overlooked in certain situations. A better
solution is to detect this issue in XalanC and throw an
xalanc::XalanXPathException.


Thank you for your support,

Hans Smit

PS: I'm very much looking forward to v1.11. Is there a date set? I've been
using the trunk v1.10 for the past year with no issues (expect for the one
described above). As far as I'm concerned - it's stable as a rock. Great
work!

Re: Possible XPath single quote-comma bug

[David Bertoni <db...@apache.org>]

Hans Smit wrote:
> Hi David,
> 
> I let our security hacker goes nuts on a server I've been developing and
> he came across this:
> 
> Description
> -----------
> the XPath criteria expression,
> 
> contains(.,translate('','','A','a'))
> 
> generates a null pointer exception in the following file,
> 
> FunctionContains::execute(...)
> line:    const XalanDOMString&   str2 = arg2->str(executionContext);
> 
> 
> Cause
> -----
> ('','') The double single quotes surrounding the comma in the first
> argument of the translate xpath function fails to get detected as a syntax
> error.
Actually, this should be interpreted as a function call with 4 
arguments.  It turns out there's a bug with reporting errors using the 
default implementation of the error reporting mechanism.

> 
> How to reproduce
> ----------------
> execute (using the sample project provided in XalanC):
> SimpleXPathAPI.exe test-fs.xml root
> /root/fs/row[contains(.,translate('','','A','a'))]
> 
> where the test-fs.xml contains the following xml:
> <?xml version="1.0" encoding="UTF-8" standalone="no" ?>
> <root>
>   <fs>
>     <row>
>       <id>31</id>
>       <directory/>
>       <path>technical</path>
>     </row>
>   </fs>
> </root>
> 
> 
> Platform
> --------
> - WinXP
> - MSVC++ 9.0 Pro Ed.
> - XalanC 1.10 (trunk) Debug + Release versions
> - compiled against XercesC 3.0
> 
> Consequences
> ------------
> If web applications enable the user to enter XPath criteria's directly,
> then it is possible to crash the server that executes the XPath
> expression.
> The band-aid patch for this is to scrutinize all client side input,
> however, this can be easily overlooked in certain situations. A better
> solution is to detect this issue in XalanC and throw an
> xalanc::XalanXPathException.
This is what should happen.  It works fine within a stylesheet, because 
the execution context correctly reports the errors.  Please create a 
Jira issue and attach the XML file:

http://issues.apache.org/jira/browse/XALANC

> 
> 
> Thank you for your support,
> 
> Hans Smit
> 
> PS: I'm very much looking forward to v1.11. Is there a date set? I've been
> using the trunk v1.10 for the past year with no issues (expect for the one
> described above). As far as I'm concerned - it's stable as a rock. Great
> work!
I'm pretty much winding down code changes now.  The only thing I've been 
working on is stabilizing some of the less popular ports.  If nothing 
major pops up, I will try to get the release out by the end of the year.

Dave