RE: [xsl] security & document() ?

Subject: RE: [xsl] security & document() ?
From: "Michael Kay" <mhk@xxxxxxxxx>
Date: Wed, 5 Mar 2003 05:04:45 -0000
> I don't get it. I hear there are security issues with the document() 
> function, but I don't see how that could be possible. Since 
> document() only 
> reads an XML file for further processing, how can this be any 
> worse than 
> using wget to download a file? I must be missing something...

Here is one scenario where the document() function can be a risk. You
write a servlet to do transformations, that accepts URLs for the source
document and the stylesheet as query parameters. Like the one at
http://www.w3.org/2001/05/xslt, for example. Someone calls this servlet
supplying http://www.evil.com/malicious.xsl as the stylesheet. You
execute this untrusted stylesheet on your machine. It calls the
document() function with a URL of file:///usr/victim/data.xml, and
returns the contents of a data file residing on the machine where the
transformation took place.

Allowing an untrusted stylesheet to run on your machine is like running
any other untrusted code on your machine; you have no idea what damage
it might do.

An even bigger risk, of course, is that the untrusted stylesheet will
call arbitrary Java extension functions. The W3C servlet cited above
runs with a version of xt that has been modified to prevent extension
functions being executed. The modification was only done after I
demonstrated to them how it could be exploited.

Michael Kay


 XSL-List info and archive:  http://www.mulberrytech.com/xsl/xsl-list


Current Thread