Update of /cvsroot/exist/eXist-1.0/samples/xmlrpc
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv23472/samples/xmlrpc
Modified Files:
search.pl find.rb
Log Message:
Security issues fixed: resources were included in the XQuery context though the user
had no permission to read the resource. REST-style interface did not correctly check
permissions; /db/system/users.xml could be retrieved by ordinary users.
Index: find.rb
===================================================================
RCS file: /cvsroot/exist/eXist-1.0/samples/xmlrpc/find.rb,v
retrieving revision 1.1
retrieving revision 1.2
diff -C2 -d -r1.1 -r1.2
*** find.rb 19 Feb 2004 16:24:07 -0000 1.1
--- find.rb 1 Apr 2004 14:12:45 -0000 1.2
***************
*** 6,10 ****
#
query = <<END
! for \$speech in //SPEECH[LINE &= 'tear*']
order by \$speech/SPEAKER[1]
return
--- 6,10 ----
#
query = <<END
! for \$speech in //SPEECH[LINE &= \$query]
order by \$speech/SPEAKER[1]
return
***************
*** 16,20 ****
puts "Query: #{query}"
! outputOptions = { "encoding" => "UTF-8", "indent" => "yes" }
begin
--- 16,23 ----
puts "Query: #{query}"
! vars = { "query" => "adrian*" }
! outputOptions = { "encoding" => "UTF-8", "indent" => "yes",
! "variables" => vars
! }
begin
Index: search.pl
===================================================================
RCS file: /cvsroot/exist/eXist-1.0/samples/xmlrpc/search.pl,v
retrieving revision 1.1
retrieving revision 1.2
diff -C2 -d -r1.1 -r1.2
*** search.pl 19 Feb 2004 16:24:07 -0000 1.1
--- search.pl 1 Apr 2004 14:12:45 -0000 1.2
***************
*** 10,14 ****
$query = <<END;
! for \$speech in //SPEECH[LINE &= 'corrupt*']
order by \$speech/SPEAKER[1]
return
--- 10,14 ----
$query = <<END;
! for \$speech in //SPEECH[LINE &= \$query]
order by \$speech/SPEAKER[1]
return
***************
*** 16,19 ****
--- 16,28 ----
END
+ # user-supplied variables
+ $vars = RPC::XML::struct->new('query' => 'corrupt*');
+ # Output options
+ $options = RPC::XML::struct->new(
+ 'indent' => 'yes',
+ 'encoding' => 'UTF-8',
+ 'variables' => $vars
+ );
+
$URL = "http://guest:guest\@localhost:8080/exist/xmlrpc";
print "connecting to $URL...\n";
***************
*** 24,28 ****
$req = RPC::XML::request->new("executeQuery",
RPC::XML::base64->new($query),
! "UTF-8");
$resp = process($req);
$result_id = $resp->value;
--- 33,37 ----
$req = RPC::XML::request->new("executeQuery",
RPC::XML::base64->new($query),
! "UTF-8", $options);
$resp = process($req);
$result_id = $resp->value;
***************
*** 34,42 ****
print "Found $hits hits.\n";
- # Output options
- $options = RPC::XML::struct->new(
- 'indent' => 'yes',
- 'encoding' => 'UTF-8');
-
# Retrieve query results 1 to 10
for($i = 1; $i < 10 && $i < $hits; $i++) {
--- 43,46 ----
|
