Menu
▾
▴
Re: [Exist-development] [HEADS-UP] Merge in of Security Branch
|
From: Adam R. <ad...@ex...> - 2012-02-08 14:41:58
|
>
> > Yes, that is reason to keep it unreadable but executable.
>
> Another downside of forcing .xq files to be "readable" (not just
"executable") is that the source code of the xquery can be exposed to the
user. For example, say you have an app at /db/demo, and you have a
controller.xql file to handle URL requests. This controller.xql has to be
world +rx. But by being readable, you can display the source by accessing:
http://localhost:8080/exist/eXide/index.html?open=/db/demo/controller.xql.
I don't think we want source to be viewable like this. Based on this,
could we consider removing the requirement that .xq files must be world +r
in order to be browser-executable?
>
I don't think changing the security concerns here is a good idea. Rather I
think the issue lies elsewhere, let me think about this...
> Also, Dmitriy - you asked for a trace. I wasn't sure which part of my
report you wanted a trace for?
>
> But I did just notice a bug - I'm just not sure if this is an app level
or system level issue. The demo app (in svn, /exist/apps/demo > ant
build.xml > build/demo.xar) , the JSON demo at
http://localhost:8080/exist/apps/demo/examples/special/json.xql returns
this error to the browser:
>
> <exception>
> <path>/db/demo/examples/special/json.xql</path>
> <message>
> Could not locate collection: /db/system/security [at line 14,
column 22] In function: local:sub-collections(xs:string*)
[33:9:/db/demo/examples/special/json.xql] local:collections(xs:string*,
xs:string*) [18:19:/db/demo/examples/special/json.xql]
local:sub-collections(xs:string*) [33:9:/db/demo/examples/special/json.xql]
local:collections(xs:string*, xs:string*)
[18:19:/db/demo/examples/special/json.xql]
local:sub-collections(xs:string*) [33:9:/db/demo/examples/special/json.xql]
local:collections(xs:string*, xs:string*)
[40:6:/db/demo/examples/special/json.xql]
> </message>
> </exception>
>
> I think this is triggered by a call
to xmldb:get-child-collections('/db/system/security') on line 14 column 22
of the json.xql. eXide's collection browser
(eXide/modules/collections.xql) prevents this error by adding this
conditional:
>
> if (sm:has-access(xs:anyURI($root), "x")) then
> let $children := xmldb:get-child-collections($root)
>
> Is this the suggested best practice -- checking for sm:has-access before
trying to use xmldb:get-*?
>
> Here is the error in exist.log:
>
> 2012-02-08 07:11:42,389 [eXistThread-39] DEBUG (RESTServer.java
[doGet]:487) - Could not locate collection: /db/system/security [at line
14, column 22]
> In function:
> local:sub-collections(xs:string*)
[33:9:/db/demo/examples/special/json.xql]
> local:collections(xs:string*, xs:string*)
[18:19:/db/demo/examples/special/json.xql]
> local:sub-collections(xs:string*)
[33:9:/db/demo/examples/special/json.xql]
> local:collections(xs:string*, xs:string*)
[18:19:/db/demo/examples/special/json.xql]
> local:sub-collections(xs:string*)
[33:9:/db/demo/examples/special/json.xql]
> local:collections(xs:string*, xs:string*)
[40:6:/db/demo/examples/special/json.xql]
> org.exist.xquery.XPathException: Could not locate collection:
/db/system/security [at line 14, column 22]
> In function:
> local:sub-collections(xs:string*)
[33:9:/db/demo/examples/special/json.xql]
> local:collections(xs:string*, xs:string*)
[18:19:/db/demo/examples/special/json.xql]
> local:sub-collections(xs:string*)
[33:9:/db/demo/examples/special/json.xql]
> local:collections(xs:string*, xs:string*)
[18:19:/db/demo/examples/special/json.xql]
> local:sub-collections(xs:string*)
[33:9:/db/demo/examples/special/json.xql]
> local:collections(xs:string*, xs:string*)
[40:6:/db/demo/examples/special/json.xql]
> at
org.exist.xquery.functions.xmldb.XMLDBAbstractCollectionManipulator.eval(XMLDBAbstractCollectionManipulator.java:160)
> at org.exist.xquery.BasicFunction.eval(BasicFunction.java:68)
> at
org.exist.xquery.InternalFunctionCall.eval(InternalFunctionCall.java:55)
> at org.exist.xquery.LetExpr.eval(LetExpr.java:155)
> at org.exist.xquery.BindingExpression.eval(BindingExpression.java:156)
> at org.exist.xquery.UserDefinedFunction.eval(UserDefinedFunction.java:139)
> at org.exist.xquery.FunctionCall.evalFunction(FunctionCall.java:280)
> at org.exist.xquery.FunctionCall.eval(FunctionCall.java:206)
> at org.exist.xquery.AbstractExpression.eval(AbstractExpression.java:70)
> at org.exist.xquery.PathExpr.eval(PathExpr.java:276)
> at org.exist.xquery.SequenceConstructor.eval(SequenceConstructor.java:83)
> at org.exist.xquery.UserDefinedFunction.eval(UserDefinedFunction.java:139)
> at
org.exist.xquery.FunctionCall$DeferredFunctionCallImpl.execute(FunctionCall.java:362)
> at
org.exist.xquery.DeferredFunctionCall.realize(DeferredFunctionCall.java:52)
> at
org.exist.xquery.DeferredFunctionCall.iterate(DeferredFunctionCall.java:208)
> at org.exist.xquery.EnclosedExpr.eval(EnclosedExpr.java:80)
> at org.exist.xquery.AbstractExpression.eval(AbstractExpression.java:70)
> at org.exist.xquery.PathExpr.eval(PathExpr.java:276)
> at org.exist.xquery.ElementConstructor.eval(ElementConstructor.java:279)
> at
org.exist.xquery.DebuggableExpression.eval(DebuggableExpression.java:56)
> at
org.exist.xquery.DebuggableExpression.eval(DebuggableExpression.java:63)
> at org.exist.xquery.ForExpr.eval(ForExpr.java:320)
> at org.exist.xquery.LetExpr.eval(LetExpr.java:208)
> at org.exist.xquery.BindingExpression.eval(BindingExpression.java:156)
> at org.exist.xquery.UserDefinedFunction.eval(UserDefinedFunction.java:139)
> at org.exist.xquery.FunctionCall.evalFunction(FunctionCall.java:280)
> at org.exist.xquery.FunctionCall.eval(FunctionCall.java:206)
> at org.exist.xquery.AbstractExpression.eval(AbstractExpression.java:70)
> at org.exist.xquery.PathExpr.eval(PathExpr.java:276)
> at org.exist.xquery.SequenceConstructor.eval(SequenceConstructor.java:83)
> at org.exist.xquery.UserDefinedFunction.eval(UserDefinedFunction.java:139)
> at
org.exist.xquery.FunctionCall$DeferredFunctionCallImpl.execute(FunctionCall.java:362)
> at
org.exist.xquery.DeferredFunctionCall.realize(DeferredFunctionCall.java:52)
> at
org.exist.xquery.DeferredFunctionCall.iterate(DeferredFunctionCall.java:208)
> at org.exist.xquery.EnclosedExpr.eval(EnclosedExpr.java:80)
> at org.exist.xquery.AbstractExpression.eval(AbstractExpression.java:70)
> at org.exist.xquery.PathExpr.eval(PathExpr.java:276)
> at org.exist.xquery.ElementConstructor.eval(ElementConstructor.java:279)
> at
org.exist.xquery.DebuggableExpression.eval(DebuggableExpression.java:56)
> at
org.exist.xquery.DebuggableExpression.eval(DebuggableExpression.java:63)
> at org.exist.xquery.ForExpr.eval(ForExpr.java:320)
> at org.exist.xquery.LetExpr.eval(LetExpr.java:208)
> at org.exist.xquery.BindingExpression.eval(BindingExpression.java:156)
> at org.exist.xquery.UserDefinedFunction.eval(UserDefinedFunction.java:139)
> at org.exist.xquery.FunctionCall.evalFunction(FunctionCall.java:280)
> at org.exist.xquery.FunctionCall.eval(FunctionCall.java:206)
> at org.exist.xquery.AbstractExpression.eval(AbstractExpression.java:70)
> at org.exist.xquery.PathExpr.eval(PathExpr.java:276)
> at org.exist.xquery.SequenceConstructor.eval(SequenceConstructor.java:83)
> at org.exist.xquery.UserDefinedFunction.eval(UserDefinedFunction.java:139)
> at org.exist.xquery.FunctionCall.evalFunction(FunctionCall.java:280)
> at org.exist.xquery.FunctionCall.eval(FunctionCall.java:206)
> at org.exist.xquery.AbstractExpression.eval(AbstractExpression.java:70)
> at org.exist.xquery.PathExpr.eval(PathExpr.java:276)
> at org.exist.xquery.EnclosedExpr.eval(EnclosedExpr.java:70)
> at org.exist.xquery.AbstractExpression.eval(AbstractExpression.java:70)
> at org.exist.xquery.PathExpr.eval(PathExpr.java:276)
> at org.exist.xquery.ElementConstructor.eval(ElementConstructor.java:279)
> at
org.exist.xquery.DebuggableExpression.eval(DebuggableExpression.java:56)
> at
org.exist.xquery.DebuggableExpression.eval(DebuggableExpression.java:63)
> at org.exist.xquery.LetExpr.eval(LetExpr.java:210)
> at org.exist.xquery.BindingExpression.eval(BindingExpression.java:156)
> at org.exist.xquery.AbstractExpression.eval(AbstractExpression.java:70)
> at org.exist.xquery.PathExpr.eval(PathExpr.java:276)
> at org.exist.xquery.AbstractExpression.eval(AbstractExpression.java:70)
> at org.exist.xquery.XQuery.execute(XQuery.java:246)
> at org.exist.xquery.XQuery.execute(XQuery.java:201)
> at org.exist.http.RESTServer.executeXQuery(RESTServer.java:1403)
> at org.exist.http.RESTServer.doGet(RESTServer.java:478)
> at org.exist.http.servlets.EXistServlet.doGet(EXistServlet.java:246)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:547)
> at
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:480)
> at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
> at
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:520)
> at
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:227)
> at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:941)
> at
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:409)
> at
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:186)
> at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:875)
> at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
> at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:241)
> at org.eclipse.jetty.server.Dispatcher.forward(Dispatcher.java:115)
> at org.exist.http.urlrewrite.Forward.doRewrite(Forward.java:47)
> at
org.exist.http.urlrewrite.XQueryURLRewrite.doRewrite(XQueryURLRewrite.java:552)
> at
org.exist.http.urlrewrite.XQueryURLRewrite.service(XQueryURLRewrite.java:336)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
> at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:547)
> at
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:480)
> at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:119)
> at
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:483)
> at
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:227)
> at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:941)
> at
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:409)
> at
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:186)
> at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:875)
> at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
> at
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:149)
> at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:110)
> at org.eclipse.jetty.server.Server.handle(Server.java:349)
> at
org.eclipse.jetty.server.HttpConnection.handleRequest(HttpConnection.java:441)
> at
org.eclipse.jetty.server.HttpConnection$RequestHandler.headerComplete(HttpConnection.java:919)
> at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:582)
> at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:218)
> at
org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:51)
> at
org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:586)
> at
org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:44)
> at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:598)
> at
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:533)
> at java.lang.Thread.run(Thread.java:680)
> Caused by: org.xmldb.api.base.XMLDBException: Permission denied to open
collection: /db/system/security
> at org.exist.xmldb.LocalCollection.getCollection(LocalCollection.java:218)
> at org.exist.xmldb.LocalCollection.<init>(LocalCollection.java:147)
> at org.exist.xmldb.LocalCollection.<init>(LocalCollection.java:121)
> at
org.exist.xquery.functions.xmldb.XMLDBAbstractCollectionManipulator.createLocalCollection(XMLDBAbstractCollectionManipulator.java:77)
> at
org.exist.xquery.functions.xmldb.XMLDBAbstractCollectionManipulator.eval(XMLDBAbstractCollectionManipulator.java:128)
> ... 110 more
> Caused by: org.exist.security.PermissionDeniedException: Permission
denied to open collection: /db/system/security
> at org.exist.storage.NativeBroker.openCollection(NativeBroker.java:896)
> at org.exist.storage.NativeBroker.openCollection(NativeBroker.java:741)
> at org.exist.storage.NativeBroker.getCollection(NativeBroker.java:736)
> at org.exist.xmldb.LocalCollection.getCollection(LocalCollection.java:210)
> ... 114 more
>
>
>
------------------------------------------------------------------------------
> Keep Your Developer Skills Current with LearnDevNow!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-d2d
> _______________________________________________
> Exist-development mailing list
> Exi...@li...
> https://lists.sourceforge.net/lists/listinfo/exist-development
>
|
