Cart
|
[XSL-LIST Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] RE: security & document() ?
 > I don't get it. I hear there are security issues with the document() > function, but I don't see how that could be possible. Since > document() only > reads an XML file for further processing, how can this be any > worse than > using wget to download a file? I must be missing something... Here is one scenario where the document() function can be a risk. You write a servlet to do transformations, that accepts URLs for the source document and the stylesheet as query parameters. Like the one at http://www.w3.org/2001/05/xslt, for example. Someone calls this servlet supplying http://www.evil.com/malicious.xsl as the stylesheet. You execute this untrusted stylesheet on your machine. It calls the document() function with a URL of file:///usr/victim/data.xml, and returns the contents of a data file residing on the machine where the transformation took place. Allowing an untrusted stylesheet to run on your machine is like running any other untrusted code on your machine; you have no idea what damage it might do. An even bigger risk, of course, is that the untrusted stylesheet will call arbitrary Java extension functions. The W3C servlet cited above runs with a version of xt that has been modified to prevent extension functions being executed. The modification was only done after I demonstrated to them how it could be exploited. Michael Kay XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list 
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! 
Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|
