Hi all,

For anyone considering moving an application from your own computer and
putting it on the public internet, the eXist documentation states a helpful

"For any live application it is recognised best practice to keep the attack
surface of the application as small as possible. There are two aspects to
this: 1. Reducing the application itself to the absolute essentials. 2.
Limiting access routes to the application. eXist-db is no exception and
should be configured for your production systems so that it provides only
what you need and no more." (from

As applied to the server, the issue is that the eXist server's
REST interface is exposed to the public.  Essentially, the "/data" URL at is being mapped onto the eXist
server's own URL,
http://localhost:8080/exist/rest/db/apps/tei-abstracts/data.  eXist's REST
interface ( is a
convenient way to expose the documents in your collection for browsing and
downloading.  But this powerful interface does allow users with access to
it to execute arbitrary XQuery.  Matthias's solution (already applied, it
appears!) keeps the original "/rest" URLs exposed, while filtering requests
to prevent users from executing arbitrary code.  This is a good step, but
in general, good practice is to prevent these "/rest" URLs from being
exposed to the public, using eXist's robust URL rewriting functions to
limit what visitors are able to see and access.

Like many open source projects, the built-in documentation is uneven.  For
anyone getting started with eXist, I'd highly recommend Adam Retter and
Erik Siegel's book, _eXist_ (O'Reilly, 2014):

The whole book is really well done and approachable.  I wrote a review at


On Fri, Mar 10, 2017 at 8:33 AM, Piotr Bański <[log in to unmask]>

> Dear Mathias,
> What a pretty cat(ch)! Thanks for sharing :-)
> Best regards,
>   Piotr
> On 03/10/17 14:26, Mathias Göbel wrote:
>> Dear TEI-Community,
>> thank you for offering an increasing number of documents stored in
>> outstanding great databases like eXist-db and available via REST. Would
>> those guys using eXist-db consider to capture&redirect the "_query"
>> parameter (or at least a set of function names) to avoid offering an
>> open proxy like in this example:
>> sion%20%223.1%22;response:stream-binary(%20xs:base64Bina
>> ry(%20data(httpclient:get(xs:anyURI(%22
>> lt8vrdas9o1qb8xalo1_400.jpg%22),%20false(),%20())//
>> httpclient:body))%20,%20%22image/jpg%22)
>> If you are using Apache you might want to
>>         RewriteEngine on
>>         RewriteCond %{QUERY_STRING} _query=
>>         RewriteRule (.*) $1? [R=permanent]
>> Best,
>> Mathias
>> --
>> Mathias Göbel
>> Research and Development
>> Georg-August-Universität Göttingen
>> Göttingen State and University Library
>> D-37070 Göttingen
>> Papendiek 14 (hist. building, room 2.408
>> <>)
>> +49 551 39-20184 (Tel.)
>> +49 551 39-33856 (Fax.)
>> [log in to unmask] <mailto:[log in to unmask]>
>> --
> --
> Piotr Bański, Ph.D.
> Senior Researcher,
> Institut für Deutsche Sprache,
> R5 6-13
> 68-161 Mannheim, Germany