W3C home > Mailing lists > Public > public-qt-comments@w3.org > November 2005

RE: XQuery spec doesn't warn about injection attacks

From: Michael Kay <mhk@mhk.me.uk>
Date: Mon, 28 Nov 2005 22:37:37 -0000
To: "'Dan Connolly'" <connolly@w3.org>, <public-qt-comments@w3.org>
Cc: "'Thomas Roessler'" <tlr@w3.org>
Message-Id: <20051128223747.9974A2F490F@mailhost3.dircon.co.uk>

It's also worth advising that untrusted queries should not be allowed to
execute external (extension) functions or to call the doc() or collection()
function with a file:/// URI. Many sites (including W3C and Google) have
been known to set up services that allowed execution of untrusted XSLT
stylesheets without inhibiting such features.

Michael Kay


> -----Original Message-----
> From: public-qt-comments-request@w3.org 
> [mailto:public-qt-comments-request@w3.org] On Behalf Of Dan Connolly
> Sent: 28 November 2005 21:54
> To: public-qt-comments@w3.org
> Cc: Thomas Roessler
> Subject: XQuery spec doesn't warn about injection attacks
> 
> 
> SQL injection attacks are a well-known risk. Surely there's an analog 
> for XQuery.
> Please warn about them.
> 
> http://www.w3.org/TR/xquery/#id-security-considerations
> 
> (I spent (another) 10 minutes trying to get my bugzilla 
> account working 
> and failed. Rather
> than punt to the someday pile, I'm sending mail. Sorry.)
> 
> -- 
> Dan Connolly, W3C http://www.w3.org/People/Connolly/
> 
> 
> 
Received on Monday, 28 November 2005 22:38:25 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:14:42 GMT