Subject: RE: [xsl] security & document() ? From: "Michael Kay" <mhk@xxxxxxxxx> Date: Wed, 5 Mar 2003 05:04:45 -0000 |
> I don't get it. I hear there are security issues with the document() > function, but I don't see how that could be possible. Since > document() only > reads an XML file for further processing, how can this be any > worse than > using wget to download a file? I must be missing something... Here is one scenario where the document() function can be a risk. You write a servlet to do transformations, that accepts URLs for the source document and the stylesheet as query parameters. Like the one at http://www.w3.org/2001/05/xslt, for example. Someone calls this servlet supplying http://www.evil.com/malicious.xsl as the stylesheet. You execute this untrusted stylesheet on your machine. It calls the document() function with a URL of file:///usr/victim/data.xml, and returns the contents of a data file residing on the machine where the transformation took place. Allowing an untrusted stylesheet to run on your machine is like running any other untrusted code on your machine; you have no idea what damage it might do. An even bigger risk, of course, is that the untrusted stylesheet will call arbitrary Java extension functions. The W3C servlet cited above runs with a version of xt that has been modified to prevent extension functions being executed. The modification was only done after I demonstrated to them how it could be exploited. Michael Kay XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
Current Thread |
---|
|
<- Previous | Index | Next -> |
---|---|---|
[xsl] security & document() ?, Devon Y. | Thread | RE: [xsl] security & document() ?, Johannes Döbler |
RE: [xsl] XPathEvaluator in SAXON?, Michael Kay | Date | Re: [xsl] xslt 2, forward compatibi, Colin Paul Adams |
Month |