Details
-
Bug
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
1.10
-
None
-
all
Description
Hi David,
I let our security hacker goes nuts on a server I've been developing and
he came across this:
Description
-----------
the XPath criteria expression,
contains(.,translate('','','A','a'))
generates a null pointer exception in the following file,
FunctionContains::execute(...)
line: const XalanDOMString& str2 = arg2->str(executionContext);
Cause
('','') The double single quotes surrounding the comma in the first
argument of the translate xpath function fails to get detected as a syntax
error.
David Bertoni writes> Actually, this should be interpreted as a function call with 4
arguments. It turns out there's a bug with reporting errors using the
default implementation of the error reporting mechanism.
How to reproduce
----------------
execute (using the sample project provided in XalanC):
SimpleXPathAPI.exe test-fs.xml root
/root/fs/row[contains(.,translate('','','A','a'))]
where the test-fs.xml contains the following xml:
<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
<root>
<fs>
<row>
<id>31</id>
<directory/>
<path>technical</path>
</row>
</fs>
</root>
Platform
--------
- WinXP
- MSVC++ 9.0 Pro Ed.
- XalanC 1.10 (trunk) Debug + Release versions
- compiled against XercesC 3.0
Consequences
------------
If web applications enable the user to enter XPath criteria's directly,
then it is possible to crash the server that executes the XPath
expression.
The band-aid patch for this is to scrutinize all client side input,
however, this can be easily overlooked in certain situations. A better
solution is to detect this issue in XalanC and throw an
xalanc::XalanXPathException.
David Bertoni writes>This is what should happen. It works fine within a stylesheet, because
the execution context correctly reports the errors
