You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jena.apache.org by "Rob Vesse (JIRA)" <ji...@apache.org> on 2018/03/05 10:22:00 UTC

[jira] [Commented] (JENA-1497) ParameterizedSparqlString detects delimiters incorrectly

    [ https://issues.apache.org/jira/browse/JENA-1497?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16385897#comment-16385897 ] 

Rob Vesse commented on JENA-1497:
---------------------------------

Basic problem is use of {{continue}} vs {{break}} in the parsing logic, {{continue}} is used inside inner loops which of course doesn't do what is desired resulting in invalid delimiter detection which for complex SPARQL strings results in potential false positives of potential injection attacks.  Changing to {{break}} in the appropriate places resolves the issue

> ParameterizedSparqlString detects delimiters incorrectly
> --------------------------------------------------------
>
>                 Key: JENA-1497
>                 URL: https://issues.apache.org/jira/browse/JENA-1497
>             Project: Apache Jena
>          Issue Type: Bug
>          Components: ARQ
>    Affects Versions: Jena 3.6.0
>            Reporter: Rob Vesse
>            Assignee: Rob Vesse
>            Priority: Major
>
> As reported on the mailing list - [https://lists.apache.org/thread.html/3855aa8046cfea61433042655144f071c56baa7c5d61a78544730455@%3Cusers.jena.apache.org%3E|https://lists.apache.org/thread.html/3855aa8046cfea61433042655144f071c56baa7c5d61a78544730455@%3Cusers.jena.apache.org%3E]
> Investigation shows that the delimiter parsing logic has some flaws that causes it to do the wrong thing resulting in the possibility of incorrect detection of injection attacks leading to some valid SPARQL strings being rejected when attempting to inject parameters.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)