You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@xalan.apache.org by "David Ward (JIRA)" <xa...@xml.apache.org> on 2012/05/04 19:44:48 UTC
[jira] [Created] (XALANJ-2557) Security: Every namespace declared
by the stylesheet is registered as an extension namespace, making it
virtually impossible to scan for 'dangerous' namespaces in a stylesheet
David Ward created XALANJ-2557:
----------------------------------
Summary: Security: Every namespace declared by the stylesheet is registered as an extension namespace, making it virtually impossible to scan for 'dangerous' namespaces in a stylesheet
Key: XALANJ-2557
URL: https://issues.apache.org/jira/browse/XALANJ-2557
Project: XalanJ2
Issue Type: Bug
Security Level: No security risk; visible to anyone (Ordinary problems in Xalan projects. Anybody can view the issue.)
Components: Xalan-extensions
Affects Versions: 2.7.1
Reporter: David Ward
Assignee: Steven J. Hathaway
Priority: Critical
As per the documentation:
http://xml.apache.org/xalan-j/extensions.html#java-namespace-declare
Although the namespace declarations for the class and package formats are
shown with the xalan:// prefix, the current implementation for those formats
will simply use the string to the right of the rightmost forward slash as the
Java class name. This format, however, is the preferred format for extension
namespace declarations.
It's not crystal clear in the above documentation that any class URI can be used. Not just those with a certain prefix. For example
http://foo/java.io.File
will be registered with the org.apache.xalan.extensions.ExtensionHandlerJavaClass because the suggested class URI format is not enforced.
This is a quandary for those of us that need to use the Java extension space, but want to use an XML filter to provide a modicum security in order to limit what extensions can be used. FEATURE_SECURE_PROCESSING seems to be all or nothing. Given the above, the use of a Java extension is difficult to detect.
Perhaps there is room to add a feature to enforce the suggested class URI format in order to provide a better middle of the road approach to security.
An example 'innocent' looking stylesheet
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:file="http://myfoo/java.io.File" version="1.0" extension-element-prefixes="file">
<xsl:template match="/">
<xsl:variable name="f" select="file:new("/tmp/iwashere")"/>
<xsl:variable name="c" select="file:createNewFile($f)"/>
</xsl:template>
</xsl:stylesheet>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: xalan-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xalan-dev-help@xml.apache.org
[jira] [Assigned] (XALANJ-2557) Security: Every namespace declared
by the stylesheet is registered as an extension namespace, making it
virtually impossible to scan for 'dangerous' namespaces in a stylesheet
Posted by "Steven J. Hathaway (JIRA)" <xa...@xml.apache.org>.
[ https://issues.apache.org/jira/browse/XALANJ-2557?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Steven J. Hathaway reassigned XALANJ-2557:
------------------------------------------
Assignee: (was: Steven J. Hathaway)
> Security: Every namespace declared by the stylesheet is registered as an extension namespace, making it virtually impossible to scan for 'dangerous' namespaces in a stylesheet
> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: XALANJ-2557
> URL: https://issues.apache.org/jira/browse/XALANJ-2557
> Project: XalanJ2
> Issue Type: Bug
> Security Level: No security risk; visible to anyone(Ordinary problems in Xalan projects. Anybody can view the issue.)
> Components: Xalan-extensions
> Affects Versions: 2.7.1
> Reporter: David Ward
> Priority: Critical
>
> As per the documentation:
> http://xml.apache.org/xalan-j/extensions.html#java-namespace-declare
> Although the namespace declarations for the class and package formats are
> shown with the xalan:// prefix, the current implementation for those formats
> will simply use the string to the right of the rightmost forward slash as the
> Java class name. This format, however, is the preferred format for extension
> namespace declarations.
> It's not crystal clear in the above documentation that any class URI can be used. Not just those with a certain prefix. For example
> http://foo/java.io.File
> will be registered with the org.apache.xalan.extensions.ExtensionHandlerJavaClass because the suggested class URI format is not enforced.
> This is a quandary for those of us that need to use the Java extension space, but want to use an XML filter to provide a modicum security in order to limit what extensions can be used. FEATURE_SECURE_PROCESSING seems to be all or nothing. Given the above, the use of a Java extension is difficult to detect.
> Perhaps there is room to add a feature to enforce the suggested class URI format in order to provide a better middle of the road approach to security.
> An example 'innocent' looking stylesheet
> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
> xmlns:file="http://myfoo/java.io.File" version="1.0" extension-element-prefixes="file">
> <xsl:template match="/">
> <xsl:variable name="f" select="file:new("/tmp/iwashere")"/>
> <xsl:variable name="c" select="file:createNewFile($f)"/>
> </xsl:template>
> </xsl:stylesheet>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@xalan.apache.org
For additional commands, e-mail: dev-help@xalan.apache.org