The current versions of Xerces-J and Xalan-J implement the JAXP 1.4 specification. ACCESS_EXTERNAL_STYLESHEET and ACCESS_EXTERNAL_DTD did not exist in that version of JAXP and are not supported. Users have always been able to block access to external resources by installing their own EntityResolver (or any of the other resolver-like interfaces in JAXP). If I were writing code that I expected to work with an implementation of any JAXP version, that would be the solution I would use instead.
Michael Glavassevich XML Technologies and WAS Development IBM Toronto Lab E-mail: mrgla...@ca.ibm.com E-mail: mrgla...@apache.org Philippe Arteau <part...@gosecure.net> wrote on 03/21/2019 11:13:26 AM: > From: Philippe Arteau <part...@gosecure.net> > To: "dev@xalan.apache.org" <dev@xalan.apache.org> > Date: 03/21/2019 11:24 AM > Subject: Re: FEATURE_SECURE_PROCESSING when Xalan is in the classpath > > Precision regarding the transformer behavior on Xalan 2.7.2: > > FEATURE_SECURE_PROCESSING does protect from calling extension function. > > FEATURE_SECURE_PROCESSING does not protect from external entities and > external stylesheets. > > The transformer provided by the Oracle JRE by default will block all > three XML features when FEATURE_SECURE_PROCESSING is set. > > From: Philippe Arteau > Sent: March 20, 2019 4:50:08 PM > To: dev@xalan.apache.org > Subject: FEATURE_SECURE_PROCESSING when Xalan is in the classpath > > Hi, > I am not sure if the Xalan team is aware of this behavior. > > Once Xalan Java is in the classpath of a Java application, the flag > FEATURE_SECURE_PROCESSING is not honored. > > The user plokta on GitHub reported to find-sec-bugs project this issue. > He has even created a project for easy reproduction : https:// > github.com/plokta/transformerXXE > > When the security feature is ignored, it can lead to SSRF, remote > file read or even remote code execution in the case of XSLT parsing. > > Reference to the initial report : > https://github.com/find-sec-bugs/find-sec-bugs/issues/433 > > -- > Philippe Arteau > Cybersecurity Researcher > GoSecure POWERED BY COUNTERTACK > www.gosecure.net
