Jochen Topf wrote:
> Hi!
>
> When using XSLT with Execute() like this:
>
> $ret = Execute({
> inputfile => 'foo.xml',
> recipe => 'EmbperlXSLT',
> xsltstylesheet => 'foo.xsl',
> });
>
> without an 'xsltparam', the %fdat hash is used as default 'xsltparam'.
>
> I think this
> a) violates the principle of least surprise. It surprised me a lot and
> spend half an hour to figure out what a strange LibXSLT error meant
> that resulted from this. After I found it in the source code I also
> found it in the documentation, but I still think its the wrong
> thing to do because
> b) is a potential security risk. It means data that is supplied by the
> client (and can be anything) is fed into the XSLT engine as
> parameter without checking it first.
>
It is build in for convenience, but you are right the current implementation
is a security risk. The default behaviour should be to quote all values.
>From my point of view this should remove all security problem and doesn't
give a problem.
What do you think?
Gerald
> In the best case (this is what happend to me) you have a URL like
> this:
>
> /foo.html?bar=x+y
>
> which gets translated to
>
> $fdat{'bar'} = 'x y'
>
> Now XSLT sees a parameter 'x y' (without the single quotes), which it
> can't parse and so it dies. This happens even if the XSLT stylesheet
> never actually defines any parameters of its own. I bet many Embperl
> webpages of many users can be broken just by adding spurious
> parameters to the URL.
>
> In a worse case the parameter could be carefully chosen to reveal data
> from an XML file that shouldn't be revealed.
>
> The workaround is easy, just supply an empty xsltparam. But I still
> think the default should be changed.
>
> Jochen
---------------------------------------------------------------------------
Gerald Richter ecos electronic communication services gmbh
IT-Securityl�sungen * Webapplikationen mit Apache/Perl/mod_perl/Embperl
Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz
E-Mail: [EMAIL PROTECTED] Voice: +49 6133 939-122
WWW: http://www.ecos.de/ Fax: +49 6133 939-333
---------------------------------------------------------------------------
ECOS BB-5000 Firewall- und IT-Security Appliance: www.bb-5000.info
---------------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
