You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@xalan.apache.org by "Steven J. Hathaway (JIRA)" <xa...@xml.apache.org> on 2012/08/21 21:58:38 UTC

[jira] [Assigned] (XALANJ-2557) Security: Every namespace declared by the stylesheet is registered as an extension namespace, making it virtually impossible to scan for 'dangerous' namespaces in a stylesheet

     [ https://issues.apache.org/jira/browse/XALANJ-2557?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Steven J. Hathaway reassigned XALANJ-2557:
------------------------------------------

    Assignee:     (was: Steven J. Hathaway)
    
> Security: Every namespace declared by the stylesheet is registered as an extension namespace, making it virtually impossible to scan for 'dangerous' namespaces in a stylesheet
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: XALANJ-2557
>                 URL: https://issues.apache.org/jira/browse/XALANJ-2557
>             Project: XalanJ2
>          Issue Type: Bug
>      Security Level: No security risk; visible to anyone(Ordinary problems in Xalan projects.  Anybody can view the issue.) 
>          Components: Xalan-extensions
>    Affects Versions: 2.7.1
>            Reporter: David Ward
>            Priority: Critical
>
> As per the documentation:
> http://xml.apache.org/xalan-j/extensions.html#java-namespace-declare
>     Although the namespace declarations for the class and package formats are
>     shown with the xalan:// prefix, the current implementation for those formats
>     will simply use the string to the right of the rightmost forward slash as the
>     Java class name. This format, however, is the preferred format for extension
>     namespace declarations.
> It's not crystal clear in the above documentation that any class URI can be used. Not just those with a certain prefix. For example
> http://foo/java.io.File
> will be registered with the org.apache.xalan.extensions.ExtensionHandlerJavaClass because the suggested class URI format is not enforced.
> This is a quandary for those of us that need to use the Java extension space, but want to use an XML filter to provide a modicum security in order to limit what extensions can be used. FEATURE_SECURE_PROCESSING seems to be all or nothing. Given the above, the use of a Java extension is difficult to detect.
> Perhaps there is room to add a feature to enforce the suggested class URI format in order to provide a better middle of the road approach to security.
> An example 'innocent' looking stylesheet
> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 
> xmlns:file="http://myfoo/java.io.File" version="1.0" extension-element-prefixes="file">
> <xsl:template match="/">
> <xsl:variable name="f" select="file:new("/tmp/iwashere")"/>
> <xsl:variable name="c" select="file:createNewFile($f)"/>
> </xsl:template>
> </xsl:stylesheet>

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@xalan.apache.org
For additional commands, e-mail: dev-help@xalan.apache.org