On 2004.03.05, Rob Crittenden <[EMAIL PROTECTED]> wrote: > >>><xsl:include href="../poi_list.xsl"/> > > [...] Should any webserver allow including via relative directories > like this? What is to prevent an xslt from including > ../../../etc/passwd? Or is there an explicit limitation to the > document root?
My opinions (based on the XSLT spec): 1) Yes, the XSLT processor should follow relative URLs correctly. 2) File permissions ought to prevent XSLT from doing bad things like relative URI to /etc/passwd. There are many reasons to run a webserver in a chroot jail, if you're worried about user-supplied input not being santized at entry. 3) No. An XSLT processor shouldn't have any notion of "document root" -- XSLT is not simply a web tool, it can be used for many things where the notion of a "document root" isn't appropriate. -- Dossy -- Dossy Shiobara mail: [EMAIL PROTECTED] Panoptic Computer Network web: http://www.panoptic.com/ "He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on." (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
