← Back to team overview

zorba-coders team mailing list archive

[Bug 984759] [NEW] StaticContextEntityResolver ignores deny_access

 

*** This bug is a security vulnerability ***

Private security bug reported:

within resolveEntity(...) the following code:

  theSctx->resolve_uri(lResolved, internal::EntityData::SCHEMA,
lErrorMessage);

might throw zerr::ZXQP0029_URI_ACCESS_DENIED. Currently, this exception
is not propagated. Instead it is caught and null is returned which
allows the default uri resolver of xerces to resolve the uri anyways.

This is not exactly what "access denied" means. Therefore, the resolver
must obey and handle the deny_access exception seperately. Please, find
a patch attached to this bug report.

** Affects: zorba
     Importance: Critical
     Assignee: Chris Hillery (ceejatec)
         Status: New


** Tags: schema uri-resolver xerces

-- 
You received this bug notification because you are a member of Zorba
Coders, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/984759

Title:
  StaticContextEntityResolver ignores deny_access

Status in Zorba - The XQuery Processor:
  New

Bug description:
  within resolveEntity(...) the following code:

    theSctx->resolve_uri(lResolved, internal::EntityData::SCHEMA,
  lErrorMessage);

  might throw zerr::ZXQP0029_URI_ACCESS_DENIED. Currently, this
  exception is not propagated. Instead it is caught and null is returned
  which allows the default uri resolver of xerces to resolve the uri
  anyways.

  This is not exactly what "access denied" means. Therefore, the
  resolver must obey and handle the deny_access exception seperately.
  Please, find a patch attached to this bug report.

To manage notifications about this bug go to:
https://bugs.launchpad.net/zorba/+bug/984759/+subscriptions


Follow ups

References