Menu
▾
▴
Re: [Exist-development] [HEADS-UP] Merge in of Security Branch
|
From: Joe W. <jo...@gm...> - 2012-02-08 12:33:52
|
Hi all,
> Yes, that is reason to keep it unreadable but executable.
Another downside of forcing .xq files to be "readable" (not just
"executable") is that the source code of the xquery can be exposed to the
user. For example, say you have an app at /db/demo, and you have a
controller.xql file to handle URL requests. This controller.xql has to be
world +rx. But by being readable, you can display the source by accessing:
http://localhost:8080/exist/eXide/index.html?open=/db/demo/controller.xql.
I don't think we want source to be viewable like this. Based on this,
could we consider removing the requirement that .xq files must be world +r
in order to be browser-executable?
Also, Dmitriy - you asked for a trace. I wasn't sure which part of my
report you wanted a trace for?
But I did just notice a bug - I'm just not sure if this is an app level or
system level issue. The demo app (in svn, /exist/apps/demo > ant build.xml
> build/demo.xar) , the JSON demo at
http://localhost:8080/exist/apps/demo/examples/special/json.xql returns
this error to the browser:
<exception>
<path>/db/demo/examples/special/json.xql</path>
<message>
Could not locate collection: /db/system/security [at line 14, column
22] In function: local:sub-collections(xs:string*)
[33:9:/db/demo/examples/special/json.xql] local:collections(xs:string*,
xs:string*) [18:19:/db/demo/examples/special/json.xql]
local:sub-collections(xs:string*) [33:9:/db/demo/examples/special/json.xql]
local:collections(xs:string*, xs:string*)
[18:19:/db/demo/examples/special/json.xql]
local:sub-collections(xs:string*) [33:9:/db/demo/examples/special/json.xql]
local:collections(xs:string*, xs:string*)
[40:6:/db/demo/examples/special/json.xql]
</message>
</exception>
I think this is triggered by a call to *xmldb:get-child-collections*(*
'/db/system/security'*) on line 14 column 22 of the json.xql. eXide's
collection browser (eXide/modules/collections.xql) prevents this error by
adding this conditional:
* if* (*sm:has-access*(*xs:anyURI*(*$root*), "x")) *then*
*let **$children* := *xmldb:get-child-collections*(*$root*)
Is this the suggested best practice -- checking for sm:has-access before
trying to use xmldb:get-*?
Here is the error in exist.log:
2012-02-08 07:11:42,389 [eXistThread-39] DEBUG (RESTServer.java
[doGet]:487) - Could not locate collection: /db/system/security [at line
14, column 22]
In function:
local:sub-collections(xs:string*) [33:9:/db/demo/examples/special/json.xql]
local:collections(xs:string*, xs:string*)
[18:19:/db/demo/examples/special/json.xql]
local:sub-collections(xs:string*) [33:9:/db/demo/examples/special/json.xql]
local:collections(xs:string*, xs:string*)
[18:19:/db/demo/examples/special/json.xql]
local:sub-collections(xs:string*) [33:9:/db/demo/examples/special/json.xql]
local:collections(xs:string*, xs:string*)
[40:6:/db/demo/examples/special/json.xql]
org.exist.xquery.XPathException: Could not locate collection:
/db/system/security [at line 14, column 22]
In function:
local:sub-collections(xs:string*) [33:9:/db/demo/examples/special/json.xql]
local:collections(xs:string*, xs:string*)
[18:19:/db/demo/examples/special/json.xql]
local:sub-collections(xs:string*) [33:9:/db/demo/examples/special/json.xql]
local:collections(xs:string*, xs:string*)
[18:19:/db/demo/examples/special/json.xql]
local:sub-collections(xs:string*) [33:9:/db/demo/examples/special/json.xql]
local:collections(xs:string*, xs:string*)
[40:6:/db/demo/examples/special/json.xql]
at
org.exist.xquery.functions.xmldb.XMLDBAbstractCollectionManipulator.eval(XMLDBAbstractCollectionManipulator.java:160)
at org.exist.xquery.BasicFunction.eval(BasicFunction.java:68)
at org.exist.xquery.InternalFunctionCall.eval(InternalFunctionCall.java:55)
at org.exist.xquery.LetExpr.eval(LetExpr.java:155)
at org.exist.xquery.BindingExpression.eval(BindingExpression.java:156)
at org.exist.xquery.UserDefinedFunction.eval(UserDefinedFunction.java:139)
at org.exist.xquery.FunctionCall.evalFunction(FunctionCall.java:280)
at org.exist.xquery.FunctionCall.eval(FunctionCall.java:206)
at org.exist.xquery.AbstractExpression.eval(AbstractExpression.java:70)
at org.exist.xquery.PathExpr.eval(PathExpr.java:276)
at org.exist.xquery.SequenceConstructor.eval(SequenceConstructor.java:83)
at org.exist.xquery.UserDefinedFunction.eval(UserDefinedFunction.java:139)
at
org.exist.xquery.FunctionCall$DeferredFunctionCallImpl.execute(FunctionCall.java:362)
at
org.exist.xquery.DeferredFunctionCall.realize(DeferredFunctionCall.java:52)
at
org.exist.xquery.DeferredFunctionCall.iterate(DeferredFunctionCall.java:208)
at org.exist.xquery.EnclosedExpr.eval(EnclosedExpr.java:80)
at org.exist.xquery.AbstractExpression.eval(AbstractExpression.java:70)
at org.exist.xquery.PathExpr.eval(PathExpr.java:276)
at org.exist.xquery.ElementConstructor.eval(ElementConstructor.java:279)
at org.exist.xquery.DebuggableExpression.eval(DebuggableExpression.java:56)
at org.exist.xquery.DebuggableExpression.eval(DebuggableExpression.java:63)
at org.exist.xquery.ForExpr.eval(ForExpr.java:320)
at org.exist.xquery.LetExpr.eval(LetExpr.java:208)
at org.exist.xquery.BindingExpression.eval(BindingExpression.java:156)
at org.exist.xquery.UserDefinedFunction.eval(UserDefinedFunction.java:139)
at org.exist.xquery.FunctionCall.evalFunction(FunctionCall.java:280)
at org.exist.xquery.FunctionCall.eval(FunctionCall.java:206)
at org.exist.xquery.AbstractExpression.eval(AbstractExpression.java:70)
at org.exist.xquery.PathExpr.eval(PathExpr.java:276)
at org.exist.xquery.SequenceConstructor.eval(SequenceConstructor.java:83)
at org.exist.xquery.UserDefinedFunction.eval(UserDefinedFunction.java:139)
at
org.exist.xquery.FunctionCall$DeferredFunctionCallImpl.execute(FunctionCall.java:362)
at
org.exist.xquery.DeferredFunctionCall.realize(DeferredFunctionCall.java:52)
at
org.exist.xquery.DeferredFunctionCall.iterate(DeferredFunctionCall.java:208)
at org.exist.xquery.EnclosedExpr.eval(EnclosedExpr.java:80)
at org.exist.xquery.AbstractExpression.eval(AbstractExpression.java:70)
at org.exist.xquery.PathExpr.eval(PathExpr.java:276)
at org.exist.xquery.ElementConstructor.eval(ElementConstructor.java:279)
at org.exist.xquery.DebuggableExpression.eval(DebuggableExpression.java:56)
at org.exist.xquery.DebuggableExpression.eval(DebuggableExpression.java:63)
at org.exist.xquery.ForExpr.eval(ForExpr.java:320)
at org.exist.xquery.LetExpr.eval(LetExpr.java:208)
at org.exist.xquery.BindingExpression.eval(BindingExpression.java:156)
at org.exist.xquery.UserDefinedFunction.eval(UserDefinedFunction.java:139)
at org.exist.xquery.FunctionCall.evalFunction(FunctionCall.java:280)
at org.exist.xquery.FunctionCall.eval(FunctionCall.java:206)
at org.exist.xquery.AbstractExpression.eval(AbstractExpression.java:70)
at org.exist.xquery.PathExpr.eval(PathExpr.java:276)
at org.exist.xquery.SequenceConstructor.eval(SequenceConstructor.java:83)
at org.exist.xquery.UserDefinedFunction.eval(UserDefinedFunction.java:139)
at org.exist.xquery.FunctionCall.evalFunction(FunctionCall.java:280)
at org.exist.xquery.FunctionCall.eval(FunctionCall.java:206)
at org.exist.xquery.AbstractExpression.eval(AbstractExpression.java:70)
at org.exist.xquery.PathExpr.eval(PathExpr.java:276)
at org.exist.xquery.EnclosedExpr.eval(EnclosedExpr.java:70)
at org.exist.xquery.AbstractExpression.eval(AbstractExpression.java:70)
at org.exist.xquery.PathExpr.eval(PathExpr.java:276)
at org.exist.xquery.ElementConstructor.eval(ElementConstructor.java:279)
at org.exist.xquery.DebuggableExpression.eval(DebuggableExpression.java:56)
at org.exist.xquery.DebuggableExpression.eval(DebuggableExpression.java:63)
at org.exist.xquery.LetExpr.eval(LetExpr.java:210)
at org.exist.xquery.BindingExpression.eval(BindingExpression.java:156)
at org.exist.xquery.AbstractExpression.eval(AbstractExpression.java:70)
at org.exist.xquery.PathExpr.eval(PathExpr.java:276)
at org.exist.xquery.AbstractExpression.eval(AbstractExpression.java:70)
at org.exist.xquery.XQuery.execute(XQuery.java:246)
at org.exist.xquery.XQuery.execute(XQuery.java:201)
at org.exist.http.RESTServer.executeXQuery(RESTServer.java:1403)
at org.exist.http.RESTServer.doGet(RESTServer.java:478)
at org.exist.http.servlets.EXistServlet.doGet(EXistServlet.java:246)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:547)
at
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:480)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
at
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:520)
at
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:227)
at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:941)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:409)
at
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:186)
at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:875)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:241)
at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:115)
at org.exist.http.urlrewrite.Forward.doRewrite(Forward.java:47)
at
org.exist.http.urlrewrite.XQueryURLRewrite.doRewrite(XQueryURLRewrite.java:552)
at
org.exist.http.urlrewrite.XQueryURLRewrite.service(XQueryURLRewrite.java:336)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:547)
at
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:480)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
at
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:483)
at
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:227)
at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:941)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:409)
at
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:186)
at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:875)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
at
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:149)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:110)
at org.eclipse.jetty.server.Server.handle(Server.java:349)
at
org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:441)
at
org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:919)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:582)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:218)
at
org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:51)
at
org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:586)
at
org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:44)
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:598)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:533)
at java.lang.Thread.run(Thread.java:680)
Caused by: org.xmldb.api.base.XMLDBException: Permission denied to open
collection: /db/system/security
at org.exist.xmldb.LocalCollection.getCollection(LocalCollection.java:218)
at org.exist.xmldb.LocalCollection.<init>(LocalCollection.java:147)
at org.exist.xmldb.LocalCollection.<init>(LocalCollection.java:121)
at
org.exist.xquery.functions.xmldb.XMLDBAbstractCollectionManipulator.createLocalCollection(XMLDBAbstractCollectionManipulator.java:77)
at
org.exist.xquery.functions.xmldb.XMLDBAbstractCollectionManipulator.eval(XMLDBAbstractCollectionManipulator.java:128)
... 110 more
Caused by: org.exist.security.PermissionDeniedException: Permission denied
to open collection: /db/system/security
at org.exist.storage.NativeBroker.openCollection(NativeBroker.java:896)
at org.exist.storage.NativeBroker.openCollection(NativeBroker.java:741)
at org.exist.storage.NativeBroker.getCollection(NativeBroker.java:736)
at org.exist.xmldb.LocalCollection.getCollection(LocalCollection.java:210)
... 114 more
|
