[
https://issues.apache.org/jira/browse/XALANC-684?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12648553#action_12648553
]
Hans Smit commented on XALANC-684:
----------------------------------
You must have read my mind, that's exactly what I did this morning. I
downloaded the latest trunk, applied the patch and went through the entire
XalanC installation procedure, and guest what? It worked out of the box. What a
wonderful tool.
btw: your patch has been verified - it works. Thanks for the speedy delivery.
I was so pleased with this flawless installation procedure I decided to make
some notes again, this time testing my new wiki.xsl transformation stylesheet I
developed last night. Here's the wiki input: (it looks real pretty after the
wiki.xsl transformation.)
== Building XalanC ==
This note describes how to build XalanC from the ground up. The prerequisite
for these instructions is that you have the xercesc installed on your machine.
=== Install TortoiseSVN ===
# Download TortoiseSVN via the site [http://tortoisesvn.net/]
# Install taking defaults (a reboot is not needed)
At this point the windows explorer folder will now have 2 additional context
menus (SVN Checkout... and TortoiseSVN >)
=== Download XalanC Trunk ===
# Create a directory named ''xalanc'' somewhere on your file system.
# Right-mouse click on this folder and select the menu item ''SVN Checkout...''
# Set the ''URL of Repository'' entry field to:
'''https://svn.apache.org/repos/asf/xalan/c/trunk'''. Take defaults for the
other entry fields.
# Click OK. A new window will popup displaying the download progress.
=== Building XalanC ===
# Open the solution file named ''xalanc/Projects/Win32/VC9/Xalan.sln''
# Right-mouse click on the ''MsgCreator'' project and select ''Project
Only->Build only MsgCreator''
# If the xerces-c_3_0.dll does not reside in the windows system folder, copy it
to the ''xalanc\Build\Win32\VC9\Release'' folder.
# Open a console prompt at the built location and execute the following
commands:
[source]
cd xalanc\Build\Win32\VC9\Release
mkdir Nls
mkdir Nls\Include
MsgCreator.exe C:\dev\tools\xalanc\src\xalanc\NLS\en_US\XalanMsg_en_US.xlf
-OUTDIR Nls\Include
[/source]
# Right-mouse click on the ''XalanMsgLib'' project and select ''Project
Only->Build only XalanMsgLib''
# Right-mouse click on the ''AllInOne'' project and select ''Project
Only->Build only AllInOne''
If no errors occurred you will now have the following files:
* Xalan-C_1.lib
* Xalan-C_1_11.dll
* XalanMessages_1_11.dll
* XalanMessages_1_11.lib
== Applying a patch using TortoiseSVN ==
# Download the patch from [https://issues.apache.org/jira/browse], and save it
to your file system.
# Right-Mouse click on the xalanc folder and select the menu item:
''TortoiseSVN...->Apply Patch''
# Select the patch you just saved to your file system.
# The GUI explains the rest quite adequately.
> XPath single quote-comma bug
> ----------------------------
>
> Key: XALANC-684
> URL: https://issues.apache.org/jira/browse/XALANC-684
> Project: XalanC
> Issue Type: Bug
> Components: XalanC
> Affects Versions: 1.10
> Environment: all
> Reporter: Hans Smit
> Assignee: David Bertoni
> Priority: Minor
> Attachments: XALANC-684.patch
>
> Original Estimate: 4h
> Remaining Estimate: 4h
>
> Hi David,
> I let our security hacker goes nuts on a server I've been developing and
> he came across this:
> Description
> -----------
> the XPath criteria expression,
> contains(.,translate('','','A','a'))
> generates a null pointer exception in the following file,
> FunctionContains::execute(...)
> line: const XalanDOMString& str2 = arg2->str(executionContext);
> Cause
> -----
> ('','') The double single quotes surrounding the comma in the first
> argument of the translate xpath function fails to get detected as a syntax
> error.
> David Bertoni writes> Actually, this should be interpreted as a function call
> with 4
> arguments. It turns out there's a bug with reporting errors using the
> default implementation of the error reporting mechanism.
> How to reproduce
> ----------------
> execute (using the sample project provided in XalanC):
> SimpleXPathAPI.exe test-fs.xml root
> /root/fs/row[contains(.,translate('','','A','a'))]
> where the test-fs.xml contains the following xml:
> <?xml version="1.0" encoding="UTF-8" standalone="no" ?>
> <root>
> <fs>
> <row>
> <id>31</id>
> <directory/>
> <path>technical</path>
> </row>
> </fs>
> </root>
> Platform
> --------
> - WinXP
> - MSVC++ 9.0 Pro Ed.
> - XalanC 1.10 (trunk) Debug + Release versions
> - compiled against XercesC 3.0
> Consequences
> ------------
> If web applications enable the user to enter XPath criteria's directly,
> then it is possible to crash the server that executes the XPath
> expression.
> The band-aid patch for this is to scrutinize all client side input,
> however, this can be easily overlooked in certain situations. A better
> solution is to detect this issue in XalanC and throw an
> xalanc::XalanXPathException.
> David Bertoni writes>This is what should happen. It works fine within a
> stylesheet, because
> the execution context correctly reports the errors
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
