RE: [xsl] The evaluate function

Subject: RE: [xsl] The evaluate function
From: "Matt G." <matt_g_@xxxxxxxxxxx>
Date: Fri, 04 Jan 2002 01:43:20
Apart from all the issues mentioned by Mr.Kay, an eval()
function makes it rather easy to open security holes in
a style sheet.

Indeed, you have cited some serious problems. However, I disagree with you on their exact nature and origin.



For example, once you figured out you can put a XPath into
the nice "Enter your query here" field which is passed
directly to an eval() function, what will stop you from
entering document("file:///C/Documents and >Settings/Administrator/preferences.xml")?

Why would someone allow users to pass input directly to an XPath evaluate function? This seems to me like a bad idea. Furthermore, proper use of permissions should prevent access to system configuration files.



Or, if extension functions may be called indiscriminately:
 mswin:delete("C:\*.*","recursive")

What is such an extension function even doing in an XSLT processor!? Furthermore, it seems similarly absurd for an admin not to configure the system's permissions to preclude such things.


I don't think it makes sense to handicap a standard, based on vulnerabilities introduced by nonstandard extensions used on poorly administrated systems.


Matthew Gruenke



_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx



XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list



Current Thread