[jira] [Commented] (XALANJ-2591) Transform XSLT using Xalan into XHTML fails with secure processing feature when using attributes

Thu, 06 Jul 2023 12:30:04 -0700 


    [ 
https://issues.apache.org/jira/browse/XALANJ-2591?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17740765#comment-17740765
 ] 

Joshua Marquart commented on XALANJ-2591:
-----------------------------------------

Xalan 2.7.2 and ServiceMix Xalan 2.7.2_3 were vulnerabile to CVE-2022-34169.  
Xalan 2.7.3 resolves CVE-2022-34169, however Xalan 2.7.3 does not include the 
bugfix for XALANJ-2591

The requirement to set secure-processing is similar to the requirements of 
CVE-2017-7465: https://nvd.nist.gov/vuln/detail/CVE-2017-7465

The only way to circumvent bug XALANJ-2591 on unmodified Xalan 2.7.3 is to NOT 
set secure-processing, which means Xalan 2.7.3 is exposed to a vulnerability 
similar to CVE-2017-7465

 

Will there be a servicemix of 2.7.3 that resolves XALANJ-2591 ?

> Transform XSLT using Xalan into XHTML fails with secure processing feature 
> when using attributes
> ------------------------------------------------------------------------------------------------
>
>                 Key: XALANJ-2591
>                 URL: https://issues.apache.org/jira/browse/XALANJ-2591
>             Project: XalanJ2
>          Issue Type: Bug
>      Security Level: No security risk; visible to anyone(Ordinary problems in 
> Xalan projects.  Anybody can view the issue.) 
>          Components: transformation, Xalan
>    Affects Versions: 2.7.2
>            Reporter: Victor Kazakov
>            Assignee: Steven J. Hathaway
>            Priority: Major
>         Attachments: XSLTElementProcessor.patch, xalan-test.zip
>
>
> I'm trying to use the updated version of Xalan (2.7.2) in secure mode and 
> having issue with it not able to understand unknown attributes. The problem 
> is, it prevents you from using any stylesheet that emits XHTML (in secure 
> processing mode) because it disallows things like “colspan” attributes of 
> “th” elements.
> The associated changed file is here: 
> http://svn.apache.org/viewvc/xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xalan/processor/XSLTElementProcessor.java?r1=1359736&r2=1581058&pathrev=1581058&diff_format=h
> See the following example:
> {code:java}
> import javax.xml.XMLConstants;
> import javax.xml.transform.*;
> import javax.xml.transform.stream.StreamSource;
> import java.io.StringReader;
> public class XalanSecureAttributeRepro {
>     private static final String XSL =
>             "<xsl:stylesheet version=\"1.0\" 
> xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\";>\n" +
>             "  <xsl:output method=\"html\"/>\n" +
>             "  <xsl:template match=\"/*\">\n" +
>             "    <th colspan=\"2\"/>\n" +
>             "  </xsl:template>\n" +
>             "</xsl:stylesheet>";
>     public static void main( String[] args ) throws Exception {
>         System.setProperty( "javax.xml.transform.TransformerFactory", 
> "org.apache.xalan.processor.TransformerFactoryImpl" );
>         TransformerFactory tf = TransformerFactory.newInstance();
>         tf.setFeature( XMLConstants.FEATURE_SECURE_PROCESSING, true);
>         tf.setErrorListener( new DefaultErrorHandler( true ) );
>         final Source source = new StreamSource( new StringReader( XSL ) );
>         Templates templates = tf.newTemplates( source ); // throws:
>                         // TransformerException: "colspan" attribute is not 
> allowed on the th element!
>     }
> }
> {code}
> It returns this error:
> {code}
> Exception in thread "main" 
> javax.xml.transform.TransformerConfigurationException: 
> javax.xml.transform.TransformerException: org.xml.sax.SAXException: "colspan" 
> attribute is not allowed on the th element!
> javax.xml.transform.TransformerException: "colspan" attribute is not allowed 
> on the th element!
>     at 
> org.apache.xalan.processor.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:933)
>     at 
> com.l7tech.example.XalanSecureAttributeRepro.main(XalanSecureAttributeRepro.java:27)
>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>     at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>     at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>     at java.lang.reflect.Method.invoke(Method.java:606)
>     at com.intellij.rt.execution.application.AppMain.main(AppMain.java:134)
> Caused by: javax.xml.transform.TransformerException: 
> org.xml.sax.SAXException: "colspan" attribute is not allowed on the th 
> element!
> javax.xml.transform.TransformerException: "colspan" attribute is not allowed 
> on the th element!
>     at 
> org.apache.xalan.processor.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:925)
>     ... 6 more
> Caused by: org.xml.sax.SAXException: "colspan" attribute is not allowed on 
> the th element!
> javax.xml.transform.TransformerException: "colspan" attribute is not allowed 
> on the th element!
>     at 
> org.apache.xalan.processor.StylesheetHandler.error(StylesheetHandler.java:919)
>     at 
> org.apache.xalan.processor.StylesheetHandler.error(StylesheetHandler.java:947)
>     at 
> org.apache.xalan.processor.XSLTElementProcessor.setPropertiesFromAttributes(XSLTElementProcessor.java:347)
>     at 
> org.apache.xalan.processor.XSLTElementProcessor.setPropertiesFromAttributes(XSLTElementProcessor.java:267)
>     at 
> org.apache.xalan.processor.ProcessorLRE.startElement(ProcessorLRE.java:283)
>     at 
> org.apache.xalan.processor.StylesheetHandler.startElement(StylesheetHandler.java:623)
>     at org.apache.xerces.parsers.AbstractSAXParser.startElement(Unknown 
> Source)
>     at 
> org.apache.xerces.parsers.AbstractXMLDocumentParser.emptyElement(Unknown 
> Source)
>     at 
> org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanStartElement(Unknown 
> Source)
>     at 
> org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown
>  Source)
>     at 
> org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown 
> Source)
>     at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
>     at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
>     at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
>     at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
>     at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown 
> Source)
>     at 
> org.apache.xalan.processor.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:917)
>     ... 6 more
> Caused by: javax.xml.transform.TransformerException: "colspan" attribute is 
> not allowed on the th element!
>     at 
> org.apache.xalan.processor.StylesheetHandler.error(StylesheetHandler.java:904)
>     ... 22 more
> {code}
> This worked properly in 2.7.1
> Am I missing setting a feature on the transformer factory. How would you 
> transform a stylesheet that emits (X)HTML in secure processing mode using 
> Xalan?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@xalan.apache.org
For additional commands, e-mail: dev-h...@xalan.apache.org

Reply via email to