[
https://issues.apache.org/jira/browse/BATIK-1395?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18086063#comment-18086063
]
Piotr Karwasz commented on BATIK-1395:
--------------------------------------
Hi Simon,
The commit works with the stock JDK {{TransformerFactory}}, but if an
application ships Xalan as an external dependency, setting the
{{ACCESS_EXTERNAL_*}} attributes throws, since standalone Xalan doesn't support
those JAXP 1.5 properties.
There's also a residual gap: with Xalan you fall back to
{{FEATURE_SECURE_PROCESSING}} only, and a {{Source}} without an attached parser
is then read by a fresh {{XMLReader}} that inherits just that flag. So:
{code:java}
tFactory.newTransformer(new StreamSource(parsedXSLStyleSheetURI.toString()))
{code}
could still allow XXE/SSRF if an attacker can inject a stylesheet (unlikely
here, but possible).
Last month I put together a small library,
[copernik-xml-factory|https://github.com/copernik-eu/copernik-xml-factory],
that enables the right properties per JAXP implementation and covers this Xalan
case. It's being evaluated for inclusion in Commons or Xerces, but I can cut a
first release under {{eu.copernik}} this weekend.
Would that be useful here?
> Add secure processing to XMLInputHandler
> ----------------------------------------
>
> Key: BATIK-1395
> URL: https://issues.apache.org/jira/browse/BATIK-1395
> Project: Batik
> Issue Type: Bug
> Reporter: Simon Steiner
> Assignee: Simon Steiner
> Priority: Major
> Fix For: main
>
>
> XMLInputHandler is currently not used unless you uncomment a setting in a
> services file
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
