|
Subject: Re: [xsl] Saxon vulnerability From: "Martin Honnen martin.honnen@xxxxxx" <xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx> Date: Sat, 8 Mar 2025 14:19:09 -0000 |
On 08/03/2025 14:51, Roger L Costello costello@xxxxxxxxx wrote:
> Thank you, Martin.
>
>
>
> Is this accurate:
>
>
>
> SAXON has a configuration property allowedProtocols that can be set to
"https,http" to allow only HTTPS and HTTP URIs to be resolved, while file URI
access should fail. However, currently, when doing this:
>
>
>
> unparsed-text('file:///Windows/win.ini')
>
>
>
> SAXON fails to block the parsing of the XML.
>
No, the unparsed-text resolution to file URIs is blocked when setting
the allowedProtocols to "https,http", the resolution of external
entities in DTDs using file URIs is what is not blocked, even if the
allowedProtocols is set.
So at e.g. the SaxonC 12.5 HE powered XML workbench doing
B unparsed-text('file///etc/password')
(example fiddle
<https://saxonc-xmlworkbench.azurewebsites.net/?code=unparsed-text%28%27file%
2F%2F%2Fetc%2Fpassword%27%29&input=%0A&code-type=XPath&input-type=None>)
has previously given you and continues to give you an error "Error(s)
during XPath evaluation: FOUT1170: URIs using protocol file are not
permitted. Line number: 1" but previously the use of an external entity
to that file URI was not blocked and allowed reading out that file and
is now only blocked because I applied the parser setting to disable DTDs
completely,B the workaround that Michael Kay suggested.
| Current Thread |
|---|
|
| <- Previous | Index | Next -> |
|---|---|---|
| Re: [xsl] Saxon vulnerability, Roger L Costello cos | Thread | Re: [xsl] Saxon vulnerability, Roger L Costello cos |
| Re: [xsl] Saxon vulnerability, Roger L Costello cos | Date | Re: [xsl] Saxon vulnerability, Roger L Costello cos |
| Month |