[jira] Created: (XALANJ-2435) Use of secure processing feature should disable some output properties

Steve Jones (JIRA) Fri, 29 Feb 2008 16:54:55 -0800

Use of secure processing feature should disable some output properties
----------------------------------------------------------------------


                 Key: XALANJ-2435
                 URL: https://issues.apache.org/jira/browse/XALANJ-2435
             Project: XalanJ2
          Issue Type: Bug
    Affects Versions: 2.7.1
            Reporter: Steve Jones


When using the FEATURE_SECURE_PROCESSING 
("http://javax.xml.XMLConstants/feature/secure-processing";) on a 
TransformerFactory it seems appropriate that the output properties:

  {http://xml.apache.org/xalan}content-handler 
  {http://xml.apache.org/xalan}entities
  {http://xml.apache.org/xslt}content-handler 
  {http://xml.apache.org/xslt}entities

should be ignored (see 
http://xml.apache.org/xalan-j/usagepatterns.html#outputprops)

These properties can be used to load an arbitrary class or access an arbitrary 
URL/resource so are problematic when secure processing is desired.

   <xsl:output xalan:content-handler="org.example.BadClass" ...
   <xsl:output xalan:entities="http://example.org/reallyLargeFile.bin"; ...

These features could be used to load a class that had undesirable side-effects 
or to load a large file and exhaust memory, etc.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[jira] Created: (XALANJ-2435) Use of secure processing feature should disable some output properties

Reply via email to