Hi Rob,
suppose that we were to turn off all Xalan extensions. The default would
obviously be to have the Xalan extensions recognized.
What would you suggest for that as an API to make Xalan extensions not
recognized?
----------
Brian Minchau
XSLT Development, IBM Toronto
e-mail: [EMAIL PROTECTED]
Robert Koberg
<[EMAIL PROTECTED]>
To
12/07/2004 05:45 [EMAIL PROTECTED]
PM cc
Subject
Please respond to Re: Please be aware of the changes
xalan-dev to some static variables in Xalan
to plug some potential security
holes
Hi and thanks,
Speaking of security holes, has anything been done (or is planned to be)
about the ability to turn off extensions (mainly xalan:redirect)? I
cannot use Xalan in my server environment as I have to run untrusted
stylesheets.
thanks again,
-Rob
Christine Li wrote:
>
> Hello,
>
> As you may have noticed that I just opened a bug report[1] about some
> security issues in Xalan. After some serious investigation, I have
> created a patch to change various static variables that could open
> security holes. This patch includes changes to about 214 classes that
> cross 29 packages. It may have impact on your work, please be aware of
> the changes. In general, I did the following changes:
>
> 1. Added final modifier to static variables;
> 2. Reduced scope and added public get methods whenever it is appropriate;
> 3. Changed some static variable to instance variables;
> 4. Changed some interfaces to final classes, if those interfaces are
> used only to define constants
> 5. Removed the usage of System.exit;
> 6. For various org.apache.xml.utils.res.XResourceBundle, the getObject()
> methods return immutable array wrappers instead of arrays
> 7. Changed static methods of org.apache.xpath.compiler.FunctionTable to
> instance methods and the reference of a function table is passed around
> the processing to create an XPath object;
> 8. Changed the flags of FEATURE_INCREMENTAL, FEATURE_OPTIMIZE and
> FEATURE_SOURCE_LOCATION to instance variables in TransformerFactorImpl.
> So they will not be changed during a processing once a new Templates is
> created;
>
> Please let me know if you have any concerns or comments.
>
> Special thanks to Henry Zongaro ([EMAIL PROTECTED]) and Brian Minchau
> ([EMAIL PROTECTED])
>
> [1] http://nagoya.apache.org/jira/browse/XALANJ-2008
>
> Christine Li
> XSLT Development
> IBM Toronto Lab
> Tel: (905)413-2601
> Email: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
