RE: [xsl] Can an XSLT document invoke arbitrary extension functions?

Subject: RE: [xsl] Can an XSLT document invoke arbitrary extension functions?
From: "Michael Kay" <mike@xxxxxxxxxxxx>
Date: Mon, 26 Oct 2009 20:58:54 -0000
> The briefing seems to suggest that XSLT is riddled with 
> security leaks, as any XSLT transform can invoke pretty much 
> any arbitrary function (apparently including, as the below 
> XSLT transform shows, any arbitrary Windows function). 
> Questions:
> 1. Should the below XSLT Transform work? (i.e. is there 
> simply a minor bug in it, that when fixed, would make it 
> operate as desired?)
> 2. Is there any control over the set of extension functions 
> provided by XSLT processors?
> 3. How do you respond to the briefing's suggestions that XSLT 
> is riddled with security leaks? (I realize this is a broad 
> question; any thoughts you have would be appreciated)

1. The set of extension functions provided by a processors is defined by
that processor, not by the language specification. So the answer to (1)
depends on which processor you are using.

2. Ditto. Saxon has always had an option to disable all extension functions,
for this reason. The latest release of Saxon goes beyond this, by allowing
you to restrict the processor to use only extension functions that have been
pre-registered with the processor: so provided you trust the application
that invokes the processor, you don't need to trust the stylesheet.

3. It's rather emotive language, but there is certainly an issue here that
implementors and users need to be aware of. In the early days of XSLT the
W3C ran a service to run user-uploaded transformations using James Clark's
xt processor, which at the time had no way to disable extension functions,
and I demonstrated that it was possible to use this to obtain a full listing
of the server filestore. (I could equally have read or deleted files if I
had been so inclined). For a short time before I spotted it, Software AG
were doing the same thing. So it's right to draw attention to the risk.

Also of course, XSLT is Turing-complete, so it is eminently capable of
denial-of-service attacks. The bottom line is that a stylesheet is a
program, and if you really care about security then you shouldn't run
untrusted programs, whatever language they are written in.


Michael Kay 

Current Thread