Sorry about the previous email in the HTML format. Here it is as plain text:
Artur Tomusiak wrote:
Hi,
I belong to the same organization as Bradley. It seems like
ExtensionNamespacesManager class could be somehow used to disable the
Java extension. Although there is no unregisterExtension() method
(registerExtension() method is there) , and setPredefinedNamespaces()
method is private, would it be possible any at all to remove the
extension?
More preferable way would be to limit the number of packages available
for the Java extension. So instead of disabling the extension, it
would be even better to let the Java code inside of XSLT source use
only "java.lang" and "java.util" packages. Using any other package
would throw an exception. Is there any way to provide our own
ObjectFactory class or to have our own ClassLoader class and make
ObjectFactory.findClassLoader() return it? The idea is that this
specific ClassLoader would allow only certain packages during the
transformation while regular ClassLoader would still work in the rest
of our application.
Thanks,
Artur
-----Original Message-----
From: Bradley Wagner [mailto:[EMAIL PROTECTED]
Sent: Thursday, 2 October 2008 4:52 AM
To: xalan-j-users@xml.apache.org <mailto:xalan-j-users@xml.apache.org>
Subject: Disabling Xalan-Java Extensions
Hi,
We really liked the option to be able to write JavaScript extensions
in XSLTs that execute in Xalan. However, we recently had a customer
come to us with a request to disable the execution of Java code
specifically (not JavaScript) as he saw it as a potential security
hole as our software lets our customers write arbitrary XSLTs to
manipulate their XML data.
Assuming the application was running a privileged user we were able to
write XSLTs in our software that would delete files/folders on the
filesystem of the machine running our software (Tomcat instance).
Any ideas? Is there a way to limit the scope of what classes,
libraries are available Xalan executes Java code or is there a way to
just disable this functionality?
Thanks,
Bradley
NTI Limited (ABN 84 000 746 109) (AFSL 237246) is the manager for
National Transport Insurance, an equal-partner joint venture of CGU
Insurance Limited (ABN 27 004 478 371) and Vero Insurance Limited
(ABN 48 005 297 807).
CAUTION - This message is intended for the addressee named above. It
may contain privileged or confidential information. If you are not
the intended recipient of this message you must not use, copy,
distribute or disclose it to anyone other than the addressee. If you
have received this email in error please return the message to the
sender by replying to it and then delete the message from your computer.
Internet e-mails are not necessarily secure. National Transport
Insurance does not accept responsibility for changes made to this
message after it was sent.
