DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=43145>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43145 Summary: XSLT Transforms are not executed securely Product: Security Version: Java 1.4.1 Platform: All OS/Version: All Status: NEW Severity: major Priority: P2 Component: Signature AssignedTo: security-dev@xml.apache.org ReportedBy: [EMAIL PROTECTED] The XSLT Transform is not executed in a secure manner, which can allow malicious scripts to be executed via XSLT extensions. See Brad Hill's paper for more information: http://www.isecpartners.com/files/XMLDSIG_Command_Injection.pdf The proposed fix will be to specify the secure processing mode (javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING) when processing XSLT stylesheets embedded in XLST Transforms. Since the FEATURE_SECURE_PROCESSING was first introduced in JDK 5 (1.5), this problem still exists when running on JDKs prior to 5. Therefore, there will be a runtime check that will disable the XSLT transform if not running on JDK 5 or higher. This may affect compatibility, but since this is a serious issue and there is a workaround (upgrading to JDK 5) I believe this is the most appropriate fix. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
