Bug#465885: please disable by default external Java method invocations in the XSLT 2.0 processor
On Fri, Feb 15, 2008 at 02:58:13PM +0100, Stefano Zacchiroli wrote: Calls on external Java functions disabled by default By default, the XSLT 2.0 processor of SaxonB enables calls on external Java functions to be embedded in stylesheets. Such calls can invoke arbitrary Java methods and are thus a security risk when executing untrusted XSLT stylesheets. For this reason, SaxonB in Debian comes with calls on external Java functions disabled by default. Actually, this is not specific of the XSLT 2.0 processor. Also the XQuery processor of SaxonB is affected (I've just discovered this while writing the manpage for saxonb-xquery). The patch is general enough to fix both cases, as it effects the global SaxonB configuration, but the above text need to be reworded. I hereby propose the following text: By default, SaxonB enables calls on external Java functions to be embedded in stylesheets or queries. Such calls can invoke arbitrary Java methods and are thus a security risk when executing untrusted XSLT stylesheets of XQuery queries. For this reason, SaxonB in Debian comes with calls on external Java functions disabled by default. If you are using the command line interface to the XSLT 2.0 or XQuery processors of Saxon, you can enable this feature by passing the -ext:on flag to your command line invocation. If you are using SaxonB from its Java API you should set the Attribute FeatureKeys.ALLOW_EXTERNAL_FUNCTIONS to true. See the API reference in the libsaxonb-java-doc package for more information. What about it? -- Stefano Zacchiroli -*- PhD in Computer Science ... now what? [EMAIL PROTECTED],cs.unibo.it,debian.org} -%- http://upsilon.cc/zack/ (15:56:48) Zack: e la demo dema ?/\All one has to do is hit the (15:57:15) Bac: no, la demo scema\/right keys at the right time signature.asc Description: Digital signature
Bug#465885: please disable by default external Java method invocations in the XSLT 2.0 processor
On Sat, Feb 16, 2008 at 12:11:15PM +0100, Stefano Zacchiroli wrote: On Fri, Feb 15, 2008 at 02:58:13PM +0100, Stefano Zacchiroli wrote: Calls on external Java functions disabled by default By default, the XSLT 2.0 processor of SaxonB enables calls on external Java functions to be embedded in stylesheets. Such calls can invoke arbitrary Java methods and are thus a security risk when executing untrusted XSLT stylesheets. For this reason, SaxonB in Debian comes with calls on external Java functions disabled by default. Actually, this is not specific of the XSLT 2.0 processor. Also the XQuery processor of SaxonB is affected (I've just discovered this while writing the manpage for saxonb-xquery). The patch is general enough to fix both cases, as it effects the global SaxonB configuration, but the above text need to be reworded. I hereby propose the following text: By default, SaxonB enables calls on external Java functions to be embedded in stylesheets or queries. Such calls can invoke arbitrary Java methods and are thus a security risk when executing untrusted XSLT stylesheets of XQuery queries. For this reason, SaxonB in Debian comes with calls on external Java functions disabled by default. If you are using the command line interface to the XSLT 2.0 or XQuery processors of Saxon, you can enable this feature by passing the -ext:on flag to your command line invocation. If you are using SaxonB from its Java API you should set the Attribute FeatureKeys.ALLOW_EXTERNAL_FUNCTIONS to true. See the API reference in the libsaxonb-java-doc package for more information. What about it? Looks good. Commited. Cheers, Michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#465885: please disable by default external Java method invocations in the XSLT 2.0 processor
Package: libsaxonb-java Version: 9.0-2 Severity: important Tags: patch, security SaxonB, as previous Saxon versions, comes with calls on external Java methods enabled by default. This is a security issue when processing untrusted XSLT stylesheets, as is properly reported in README.Debian. Still, I don't think it is enough to warn people in README.Debian, and I would much prefer to have a patched version of SaxonB with external method invocation disabled, explaining in README.Debian why it is disabled and how to enable it back. Attached you can find a patch which disables by default external Java methods, and a new README.Debian which explains how to enable it back from command line and other kinds of invocations. Please consider applying the patch. PS the README.Debian I ship gets rid of the content which explains how to generally invoke SaxonB from the command line (beside the example for enabling back external Java methods). The content was out of date anyhow, but in a second forthcoming bugreport :-) I'm going to propose some new content for that as well PPS many thanks for having brought SaxonB in Debian! -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core) Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libsaxonb-java depends on: ii gij [java2-runtime] 4:4.3-1 The GNU Java bytecode interpreter ii gij-4.1 [java2-runtime] 4.1.2-19 The GNU Java bytecode interpreter ii java-gcj-compat [java2-runt 1.0.77-4 Java runtime environment using GIJ ii libdom4j-java 1.6.1+dfsg-2 flexible XML framework for Java ii libjdom1-java 1.0-4lightweight and fast library using ii libxom-java 1.1-2A new XML object model for Java ii sun-java6-jre [java2-runtim 6-04-2 Sun Java(TM) Runtime Environment ( libsaxonb-java recommends no packages. -- no debconf information Calls on external Java functions disabled by default By default, the XSLT 2.0 processor of SaxonB enables calls on external Java functions to be embedded in stylesheets. Such calls can invoke arbitrary Java methods and are thus a security risk when executing untrusted XSLT stylesheets. For this reason, SaxonB in Debian comes with calls on external Java functions disabled by default. If you are using the command line interface of the XSLT 2.0 processor of Saxon, you can enable this feature by passing the -ext:on flag to your command line invocation. For example: CLASSPATH=/usr/share/java/saxonb.jar \ java net.sf.saxon.Transform -ext:on -s:input.xml -xsl:style.xsl -o:output.xml If you are using SaxonB from its Java API you should set the Attribute FeatureKeys.ALLOW_EXTERNAL_FUNCTIONS to true. See the API reference in the libsaxonb-java-doc package for more information. -- Stefano Zacchiroli [EMAIL PROTECTED] Fri, 15 Feb 2008 14:47:43 +0100 diff -Naur saxonb-9.0/src/net/sf/saxon/Configuration.java saxonb-9.0.zack/src/net/sf/saxon/Configuration.java --- saxonb-9.0/src/net/sf/saxon/Configuration.java 2008-02-15 14:41:06.0 +0100 +++ saxonb-9.0.zack/src/net/sf/saxon/Configuration.java 2008-02-15 14:39:53.0 +0100 @@ -121,7 +121,7 @@ private transient OutputURIResolver outputURIResolver; private boolean timing = false; private boolean versionWarning = true; -private boolean allowExternalFunctions = true; +private boolean allowExternalFunctions = false; private boolean traceExternalFunctions = false; private boolean validation = false; private boolean allNodesUntyped = false;