[
https://issues.apache.org/jira/browse/XALANJ-2435?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gary Gregory resolved XALANJ-2435.
----------------------------------
Resolution: Fixed
Fix Version/s: 2.7.2
Assignee: Gary Gregory
http://www.ocert.org/advisories/ocert-2014-002.html
Fixed in SVN branch
https://svn.apache.org/repos/asf/xalan/java/branches/xalan-j_2_7_1_maint
> Use of secure processing feature should disable some output properties
> ----------------------------------------------------------------------
>
> Key: XALANJ-2435
> URL: https://issues.apache.org/jira/browse/XALANJ-2435
> Project: XalanJ2
> Issue Type: Bug
> Affects Versions: 2.7.1
> Reporter: Steve Jones
> Assignee: Gary Gregory
> Fix For: 2.7.2
>
> Attachments: TestXslt.java
>
>
> When using the FEATURE_SECURE_PROCESSING
> ("http://javax.xml.XMLConstants/feature/secure-processing";) on a
> TransformerFactory it seems appropriate that the output properties:
> {http://xml.apache.org/xalan}content-handler
> {http://xml.apache.org/xalan}entities
> {http://xml.apache.org/xslt}content-handler
> {http://xml.apache.org/xslt}entities
> should be ignored (see
> http://xml.apache.org/xalan-j/usagepatterns.html#outputprops)
> These properties can be used to load an arbitrary class or access an
> arbitrary URL/resource so are problematic when secure processing is desired.
> <xsl:output xalan:content-handler="org.example.BadClass" ...
> <xsl:output xalan:entities="http://example.org/reallyLargeFile.bin"; ...
> These features could be used to load a class that had undesirable
> side-effects or to load a large file and exhaust memory, etc.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
