2.2.15.2 Filter XPath 1.0 Extensions

  • Article

This protocol's filter type defines the following functions that are not part of the set defined by the XPath 1.0 specification, but are specific to this protocol.

Core Function Library:

  • Boolean band(bitfield, bitfield)

    The band(bitfield, bitfield) bitwise AND function takes two bitfield arguments, performs a bitwise AND.

  • number timediff(SYSTEM_TIME)

    The timediff(SYSTEM_TIME) function calculates the difference in milliseconds between the argument-supplied time and the current system time. The result MUST be positive if the system time is greater than the argument time, zero if the system time is equal to the argument time, and negative if the system time is less than the argument time.

  • number timediff(SYSTEM_TIME, SYSTEM_TIME)

    The timediff(SYSTEM_TIME, SYSTEM_TIME) function calculates the difference in milliseconds between the first and second argument-supplied times. The result MUST be positive if the second argument is greater than the first, zero if they are equal, and negative if the second argument is less than the first.

Data Model:

This protocol's filter supports an expanded set of data types. These are:

  • Unicode (as specified in [UNICODE]) string

  • ANSI string. In this specification, ANSI strings refer to multi-byte strings in which the encoding is controlled by the current system code page. One of the most common code pages is ANSI Latin-1, as specified in [ISO/IEC-8859-1].

  • BOOLEAN

  • Double

  • UINT64, which is an unsigned 64-bit integer

  • GUID, as specified in [MS-RPCE]

  • SID, as specified in [MS-DTYP]

  • SYSTEMTIME, as specified in [MS-DTYP]

  • FILETIME, as specified in [MS-DTYP]

  • Binary large object (BLOB)

  • Bitfield (64 bits)

In XPath expressions, the additional data types are expressed as strings and converted to the wanted type for expression evaluation. The conversion is based on the syntax of the string literal.

During evaluation of an XPath expression, a data string is determined to represent one of these additional types if it conforms to the syntactical representation for that type. The scopes of syntactic representations overlap such that it is possible for a string to have a valid representation as more than one type. In this case, a representation for each such type is retained and used in accordance with the following implicit conversion rules at event evaluation time.

The GUID type is converted to and from a string, as specified in [RFC4122]. The SID type is converted as specified in [MS-DTYP].

The ABNF for the remaining types is as follows, where DIGIT and HEXDIGIT are as specified in [RFC4234] Appendix B.

 Double = 0*1(SIGN) 0*(DIGIT) 0*1("." 1*(DIGIT))
  0*1(("d" / "D" / "e" / "E") 0*1(SIGN) 0*1(DIGIT))
 SIGN = "+" / "-"
 UINT64 = "0" ("x" / "X") 1*DIGIT
 SYSTEMTIME = FILETIME
 FILETIME = date-time
 date-fullyear   = 4DIGIT
 date-month      = 2DIGIT  ; 01-12
 date-mday       = 2DIGIT  ; 01-28, 01-29, 01-30, 01-31 based on month-year
 time-hour       = 2DIGIT  ; 00-23
 time-minute     = 2DIGIT  ; 00-59
 time-second     = 2DIGIT  ; 00-59
 time-msecs      = "." 1*3DIGIT
 time-offset     = "Z"
 partial-time    = time-hour ":" time-minute ":" time-second [time-msecs]
 full-date       = date-fullyear "-" date-month "-" date-mday
 full-time       = partial-time time-offset
 date-time       = full-date "T" full-time
 BinaryBlob = 1*HEXDIG
 bitfield = UINT64

Additionally, if the string is determined to be of a numeric type, it is determined to be of Boolean type with value false if its numeric value is zero, and true otherwise. If the string is not of numeric type but is a string of value "true" or "false", it is determined to be of Boolean type with value true or false, respectively.

FILETIME and SYSTEMTIME are interpreted as GMT times.

All of the comparison operators are type-wise aware of the additional data types. For the cases of string (both Unicode and ASCII), Boolean, and Double, evaluation is the same as for XPath 1.0.

For the remaining types, implicit type coercion in the expression L1 op L2 is governed by the following exhaustive rule set:

  • If L2 is a string, L1 MUST be converted to a string.

  • If L2 is a Boolean, L1 MUST be converted to a Boolean.

  • If L2 is a GUID, SID, SYSTEMTIME, or FILETIME, L1 MUST be converted to a literal of the same type, if possible. If the conversion cannot be performed, the result of the evaluation MUST be false.

  • If L2 is of numeric type, including bitfield, and L1 is of type double, L2 MUST be converted to double.

  • If L2 is of numeric type, including bitfield, and L1 is of an unsigned integral type, L2 MUST be converted to an unsigned type.