XML Editor - Download a Free Trial >
See What's New >
Buy Now >

[XSL-LIST Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message]

RE: security & document() ?

Play the video
Subject: RE: security & document() ?
From: Johannes Döbler <jd@xxxxxxxxxxxxxx>
Date: Thu, 06 Mar 2003 13:59:25 +0100
xslt security document
On the suggestion of a user, the XSLT processor jd.xslt [1] contains the concept of a XsltSecurityManager, which is a Java-sandbox like mechanism to restrict sensitive operations, namely to create additional output files via xsl:document and execute scripts. ('ll add a restriction on calls to document() too, since you showed that there is a potential security risk with it).
That mechanism allows to run untrusted stylesheets in a safe manner without the need to patch the processor or analyze the stylesheet if it contains potential security holes.
Maybe that would be worth to be included in a standardized API like TrAX.

regards,
Johannes Döbler

[1] http://www.aztecrider.com/xslt/



> I don't get it. I hear there are security issues with the document()
> function, but I don't see how that could be possible. Since
> document() only
> reads an XML file for further processing, how can this be any
> worse than
> using wget to download a file? I must be missing something...

Here is one scenario where the document() function can be a risk. You
write a servlet to do transformations, that accepts URLs for the source
document and the stylesheet as query parameters. Like the one at
http://www.w3.org/2001/05/xslt, for example. Someone calls this servlet
supplying http://www.evil.com/malicious.xsl as the stylesheet. You
execute this untrusted stylesheet on your machine. It calls the
document() function with a URL of file:///usr/victim/data.xml, and
returns the contents of a data file residing on the machine where the
transformation took place.

Allowing an untrusted stylesheet to run on your machine is like running
any other untrusted code on your machine; you have no idea what damage
it might do.

An even bigger risk, of course, is that the untrusted stylesheet will
call arbitrary Java extension functions. The W3C servlet cited above
runs with a version of xt that has been modified to prevent extension
functions being executed. The modification was only done after I
demonstrated to them how it could be exploited.

Michael Kay


XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list


XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list


Current Thread
<- PreviousIndexNext ->
RE: security & document() ?, Michael Kay Thread Getiing Confused in Encoding , asim
xsl:value-of, not shows html , asim Date RE: xsl:value-of, not shows h, Jarno . Elovirta
Month

PURCHASE STYLUS STUDIO ONLINE TODAY!

Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced!

Buy Stylus Studio Now

Download The World's Best XML IDE!

Accelerate XML development with our award-winning XML IDE - Download a free trial today!

Don't miss another message! Subscribe to this list today.
Email
First Name
Last Name
Company
Subscribe in XML format
RSS 2.0
Atom 0.3
XML Editor - Download a 15 Day Free Trial Now >
See What's New in Stylus Studio >
Buy Stylus Studio - XML Editor - Now >
Site Map | Privacy Policy | Terms of Use | Trademarks
Free Stylus Studio XML Training:
W3C Member
Stylus Studio® and DataDirect XQuery ™are products from DataDirect Technologies, is a registered trademark of Progress Software Corporation, in the U.S. and other countries. © 2004-2013 All Rights Reserved.