Actions
Bug #811
closedDocumentation Patch: Preventing XPath Injection attacks
Description
=begin
Here's a patch to rexml/xpath.rb which documents the variables parameter
in REXML::XPath. I have previously posted this as ruby-core:16626, but it was ignored.
Please apply it to ruby 1.8 and ruby 1.9, to encourage secure coding practices.
--- xpath.rb.old 2008-04-24 17:31:51.000000000 -0500
+++ xpath.rb 2008-04-24 17:37:38.000000000 -0500
@@ -15,10 +15,15 @@
# node matching '*'.
# namespaces::
# If supplied, a Hash which defines a namespace mapping.
-
# variables::
-
# If supplied, a Hash which maps $variables in the query
-
# to values. This can be used to avoid XPath injection attacks
-
# or to automatically handle escaping string values. # # XPath.first( node ) # XPath.first( doc, "//b"} ) # XPath.first( node, "a/x:b", { "x"=>"http://doofus" } )
-
def XPath::first element, path=nil, namespaces=nil, variables={}# XPath.first( node, '/book/publisher/text()=$publisher', {}, {"publisher"=>"O'Reilly"})
raise "The namespaces argument, if supplied, must be a hash object." unless namespaces.nil? or namespaces.kind_of?(Hash)
raise "The variables argument, if supplied, must be a hash object." unless variables.kind_of?(Hash)
@@ -38,10 +43,16 @@
# The xpath to search for. If not supplied or nil, defaults to '*'
# namespaces::
# If supplied, a Hash which defines a namespace mapping -
# variables::
-
# If supplied, a Hash which maps $variables in the query
-
# to values. This can be used to avoid XPath injection attacks
-
# or to automatically handle escaping string values. # # XPath.each( node ) { |el| ... } # XPath.each( node, '/*[@attr='v']' ) { |el| ... } # XPath.each( node, 'ancestor::x' ) { |el| ... }
-
# XPath.each( node, '/book/publisher/text()=$publisher', {}, {"publisher"=>"O'Reilly"}) \
-
# {|el| ... } def XPath::each element, path=nil, namespaces=nil, variables={}, &block raise "The namespaces argument, if supplied, must be a hash object." unless namespaces.nil? or namespaces.kind_of?(Hash) raise "The variables argument, if supplied, must be a hash object." unless variables.kind_of?(Hash)
=end
Updated by matz (Yukihiro Matsumoto) over 15 years ago
- Status changed from Open to Closed
- % Done changed from 0 to 100
=begin
Applied in changeset r20455.
=end
Actions
Like0
Like0