Uploaded image for project: 'XalanC'
  1. XalanC
  2. XALANC-684

XPath single quote-comma bug

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.10
    • Fix Version/s: CurrentCVS
    • Component/s: XalanC
    • Labels:
      None
    • Environment:
      all

      Description

      Hi David,

      I let our security hacker goes nuts on a server I've been developing and
      he came across this:

      Description
      -----------
      the XPath criteria expression,

      contains(.,translate('','','A','a'))

      generates a null pointer exception in the following file,

      FunctionContains::execute(...)
      line: const XalanDOMString& str2 = arg2->str(executionContext);

      Cause


      ('','') The double single quotes surrounding the comma in the first
      argument of the translate xpath function fails to get detected as a syntax
      error.

      David Bertoni writes> Actually, this should be interpreted as a function call with 4
      arguments. It turns out there's a bug with reporting errors using the
      default implementation of the error reporting mechanism.

      How to reproduce
      ----------------
      execute (using the sample project provided in XalanC):
      SimpleXPathAPI.exe test-fs.xml root
      /root/fs/row[contains(.,translate('','','A','a'))]

      where the test-fs.xml contains the following xml:
      <?xml version="1.0" encoding="UTF-8" standalone="no" ?>
      <root>
      <fs>
      <row>
      <id>31</id>
      <directory/>
      <path>technical</path>
      </row>
      </fs>
      </root>

      Platform
      --------

      • WinXP
      • MSVC++ 9.0 Pro Ed.
      • XalanC 1.10 (trunk) Debug + Release versions
      • compiled against XercesC 3.0

      Consequences
      ------------
      If web applications enable the user to enter XPath criteria's directly,
      then it is possible to crash the server that executes the XPath
      expression.
      The band-aid patch for this is to scrutinize all client side input,
      however, this can be easily overlooked in certain situations. A better
      solution is to detect this issue in XalanC and throw an
      xalanc::XalanXPathException.

      David Bertoni writes>This is what should happen. It works fine within a stylesheet, because
      the execution context correctly reports the errors

        Attachments

        1. XALANC-684.patch
          6 kB
          David N Bertoni

          Activity

            People

            • Assignee:
              dbertoni David N Bertoni
              Reporter:
              hanssmit Hans Smit
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 4h
                4h
                Remaining:
                Remaining Estimate - 4h
                4h
                Logged:
                Time Spent - Not Specified
                Not Specified