Re: Disabling Xalan-Java Extensions

[Bradley Wagner <br...@hannonhill.com>]

After doing some searching, I found this feature request in Xalan's JIRA
instance: https://issues.apache.org/jira/browse/XALANJ-1850
Was the last comment suggesting that this would be implemented when JAXP 1.3
was available?

Would anyone have any ideas on how to modify xalan to achieve this effect in
the interim?

Thanks,
Bradley

On Thu, Oct 16, 2008 at 3:49 PM, Artur Tomusiak <
artur.tomusiak@hannonhill.com> wrote:

> Sorry about the previous email in the HTML format. Here it is as plain
> text:
>
> Artur Tomusiak wrote:
>
>> Hi,
>>
>> I belong to the same organization as Bradley. It seems like
>> ExtensionNamespacesManager class could be somehow used to disable the Java
>> extension. Although there is no unregisterExtension() method
>> (registerExtension() method is there) , and setPredefinedNamespaces() method
>> is private, would it be possible any at all to remove the extension?
>>
>> More preferable way would be to limit the number of packages available for
>> the Java extension. So instead of disabling the extension, it would be even
>> better to let the Java code inside of XSLT source use only "java.lang" and
>> "java.util" packages. Using any other package would throw an exception. Is
>> there any way to provide our own ObjectFactory class or to have our own
>> ClassLoader class and make ObjectFactory.findClassLoader() return it? The
>> idea is that this specific ClassLoader would allow only certain packages
>> during the transformation while regular ClassLoader would still work in the
>> rest of our application.
>>
>> Thanks,
>> Artur
>>
>>  -----Original Message-----
>>>> From: Bradley Wagner [mailto:bradley.wagner@hannonhill.com]
>>>> Sent: Thursday, 2 October 2008 4:52 AM
>>>> To: xalan-j-users@xml.apache.org <ma...@xml.apache.org>
>>>> Subject: Disabling Xalan-Java Extensions
>>>>
>>>> Hi,
>>>>
>>>> We really liked the option to be able to write JavaScript extensions
>>>> in XSLTs that execute in Xalan. However, we recently had a customer
>>>> come to us with a request to disable the execution of Java code
>>>> specifically (not JavaScript) as he saw it as a potential security
>>>> hole as our software lets our customers write arbitrary XSLTs to
>>>> manipulate their XML data.
>>>>
>>>> Assuming the application was running a privileged user we were able to
>>>> write XSLTs in our software that would delete files/folders on the
>>>> filesystem of the machine running our software (Tomcat instance).
>>>>
>>>> Any ideas? Is there a way to limit the scope of what classes,
>>>> libraries are available Xalan executes Java code or is there a way to
>>>> just disable this functionality?
>>>>
>>>> Thanks,
>>>> Bradley
>>>>
>>>> NTI Limited (ABN 84 000 746 109) (AFSL 237246) is the manager for
>>>> National Transport Insurance, an equal-partner joint venture of CGU
>>>> Insurance Limited (ABN 27 004 478 371) and Vero Insurance Limited (ABN 48
>>>> 005 297 807).
>>>>
>>>> CAUTION - This message is intended for the addressee named above. It may
>>>> contain privileged or confidential information. If you are not the intended
>>>> recipient of this message you must not use, copy, distribute or disclose it
>>>> to anyone other than the addressee. If you have received this email in error
>>>> please return the message to the sender by replying to it and then delete
>>>> the message from your computer.
>>>>
>>>> Internet e-mails are not necessarily secure. National Transport
>>>> Insurance does not accept responsibility for changes made to this message
>>>> after it was sent.
>>>>
>>>
>>>
>>
>