[
https://issues.apache.org/jira/browse/XALANJ-2557?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Steven J. Hathaway reassigned XALANJ-2557:
------------------------------------------
Assignee: (was: Steven J. Hathaway)
> Security: Every namespace declared by the stylesheet is registered as an
> extension namespace, making it virtually impossible to scan for 'dangerous'
> namespaces in a stylesheet
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: XALANJ-2557
> URL: https://issues.apache.org/jira/browse/XALANJ-2557
> Project: XalanJ2
> Issue Type: Bug
> Security Level: No security risk; visible to anyone(Ordinary problems in
> Xalan projects. Anybody can view the issue.)
> Components: Xalan-extensions
> Affects Versions: 2.7.1
> Reporter: David Ward
> Priority: Critical
>
> As per the documentation:
> http://xml.apache.org/xalan-j/extensions.html#java-namespace-declare
> Although the namespace declarations for the class and package formats are
> shown with the xalan:// prefix, the current implementation for those
> formats
> will simply use the string to the right of the rightmost forward slash as
> the
> Java class name. This format, however, is the preferred format for
> extension
> namespace declarations.
> It's not crystal clear in the above documentation that any class URI can be
> used. Not just those with a certain prefix. For example
> http://foo/java.io.File
> will be registered with the
> org.apache.xalan.extensions.ExtensionHandlerJavaClass because the suggested
> class URI format is not enforced.
> This is a quandary for those of us that need to use the Java extension space,
> but want to use an XML filter to provide a modicum security in order to limit
> what extensions can be used. FEATURE_SECURE_PROCESSING seems to be all or
> nothing. Given the above, the use of a Java extension is difficult to detect.
> Perhaps there is room to add a feature to enforce the suggested class URI
> format in order to provide a better middle of the road approach to security.
> An example 'innocent' looking stylesheet
> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform";
> xmlns:file="http://myfoo/java.io.File"; version="1.0"
> extension-element-prefixes="file">
> <xsl:template match="/">
> <xsl:variable name="f" select="file:new("/tmp/iwashere")"/>
> <xsl:variable name="c" select="file:createNewFile($f)"/>
> </xsl:template>
> </xsl:stylesheet>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
