Documentation Patch: Preventing XPath Injection attacks

K

Ken Bloom

Here's a patch to rexml/xpath.rb which documents the variables parameter
in REXML::XPath.


--- xpath.rb.old 2008-04-24 17:31:51.000000000 -0500
+++ xpath.rb 2008-04-24 17:37:38.000000000 -0500
@@ -15,10 +15,15 @@
# node matching '*'.
# namespaces::
# If supplied, a Hash which defines a namespace mapping.
+ # variables::
+ # If supplied, a Hash which maps $variables in the query
+ # to values. This can be used to avoid XPath injection attacks
+ # or to automatically handle escaping string values.
#
# XPath.first( node )
# XPath.first( doc, "//b"} )
# XPath.first( node, "a/x:b", { "x"=>"http://doofus" } )
+ # XPath.first( node, '/book/publisher/text()=$publisher', {}, {"publisher"=>"O'Reilly"})
def XPath::first element, path=nil, namespaces=nil, variables={}
raise "The namespaces argument, if supplied, must be a hash object." unless namespaces.nil? or namespaces.kind_of?(Hash)
raise "The variables argument, if supplied, must be a hash object." unless variables.kind_of?(Hash)
@@ -38,10 +43,16 @@
# The xpath to search for. If not supplied or nil, defaults to '*'
# namespaces::
# If supplied, a Hash which defines a namespace mapping
+ # variables::
+ # If supplied, a Hash which maps $variables in the query
+ # to values. This can be used to avoid XPath injection attacks
+ # or to automatically handle escaping string values.
#
# XPath.each( node ) { |el| ... }
# XPath.each( node, '/*[@attr='v']' ) { |el| ... }
# XPath.each( node, 'ancestor::x' ) { |el| ... }
+ # XPath.each( node, '/book/publisher/text()=$publisher', {}, {"publisher"=>"O'Reilly"}) \
+ # {|el| ... }
def XPath::each element, path=nil, namespaces=nil, variables={}, &block
raise "The namespaces argument, if supplied, must be a hash object." unless namespaces.nil? or namespaces.kind_of?(Hash)
raise "The variables argument, if supplied, must be a hash object." unless variables.kind_of?(Hash)
 
K

Ken Bloom

may want to send that to ruby-core :) -R

Could somebody else do that for me? (Maybe Matz will notice the patch
here.) I can't seem to get an email through to ruby-core or ruby-doc for
reasons that are completely beyond me.

--Ken
Here's a patch to rexml/xpath.rb which documents the variables
parameter
in REXML::XPath.


--- xpath.rb.old 2008-04-24 17:31:51.000000000 -0500 +++
xpath.rb 2008-04-24 17:37:38.000000000 -0500 @@ -15,10 +15,15 @@
# node matching '*'.
# namespaces::
# If supplied, a Hash which defines a namespace
mapping.
+ # variables::
+ # If supplied, a Hash which maps $variables in
the query + # to values. This can be used to avoid
XPath injection attacks + # or to automatically
handle escaping string values.
#
# XPath.first( node )
# XPath.first( doc, "//b"} )
# XPath.first( node, "a/x:b", { "x"=>"http://doofus" }
)
+ # XPath.first( node,
'/book/publisher/text()=$publisher', {}, {"publisher"=>"O'Reilly"})
def XPath::first element, path=nil, namespaces=nil, variables={}
raise "The namespaces argument, if supplied, must be a hash
object." unless namespaces.nil? or namespaces.kind_of?(Hash)
raise "The variables argument, if supplied, must be a hash
object." unless variables.kind_of?(Hash)
@@ -38,10 +43,16 @@
# The xpath to search for. If not supplied or nil,
defaults to '*' # namespaces::
# If supplied, a Hash which defines a namespace
mapping
+ # variables::
+ # If supplied, a Hash which maps $variables in
the query + # to values. This can be used to avoid
XPath injection attacks + # or to automatically
handle escaping string values.
#
# XPath.each( node ) { |el| ... }
# XPath.each( node, '/*[@attr='v']' ) { |el| ... } #
XPath.each( node, 'ancestor::x' ) { |el| ... }
+ # XPath.each( node,
'/book/publisher/text()=$publisher', {}, {"publisher"=>"O'Reilly"}) \
+ # {|el| ... }
def XPath::each element, path=nil, namespaces=nil,
variables={}, &block
raise "The namespaces argument, if supplied, must be a hash
object." unless namespaces.nil? or namespaces.kind_of?(Hash)
raise "The variables argument, if supplied, must be a hash
object." unless variables.kind_of?(Hash)
 
P

Phillip Gawlowski

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ken Bloom wrote:
| On Tue, 29 Apr 2008 12:11:10 -0500, Roger Pack wrote:
|
|> may want to send that to ruby-core :) -R
|
| Could somebody else do that for me? (Maybe Matz will notice the patch
| here.) I can't seem to get an email through to ruby-core or ruby-doc for
| reasons that are completely beyond me.

Try to subscribe with @googlemail.com, instead of @gmail.com.

That fixes this sort of issue for me, usually.


- --
Phillip Gawlowski
Twitter: twitter.com/cynicalryan
Blog: http://justarubyist.blogspot.com

~ "Mom and dad say I should make my life an example of the principles I
~ believe in. But every time I do, they tell me to stop it."
~ --- Calvin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkgX7QAACgkQbtAgaoJTgL9gfgCfXY5eUH1BOW/MVqK5EVrn5CrI
7FAAn3qOKx3JGyGAVtO8MRIr40YPC0Hy
=+vzH
-----END PGP SIGNATURE-----
 
K

Ken Bloom

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ken Bloom wrote:
| On Tue, 29 Apr 2008 12:11:10 -0500, Roger Pack wrote: |
|> may want to send that to ruby-core :) -R |
| Could somebody else do that for me? (Maybe Matz will notice the patch
| here.) I can't seem to get an email through to ruby-core or ruby-doc
for | reasons that are completely beyond me.

Try to subscribe with @googlemail.com, instead of @gmail.com.

That fixes this sort of issue for me, usually.

Ok. I didn't know I needed to be subscribed, and gmail ate the bounce
messages.

--Ken
 
K

Ken Bloom

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ken Bloom wrote:
| On Tue, 29 Apr 2008 12:11:10 -0500, Roger Pack wrote: |
|> may want to send that to ruby-core :) -R |
| Could somebody else do that for me? (Maybe Matz will notice the patch
| here.) I can't seem to get an email through to ruby-core or ruby-doc
for | reasons that are completely beyond me.

Try to subscribe with @googlemail.com, instead of @gmail.com.

That fixes this sort of issue for me, usually.

I don't need to be subscribed to post to ruby-talk. I didn't know I
needed to be subscribed to post to ruby-doc or ruby-core. (I also haven't
gotten any bounce telling me that.)

--Ken
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top