Re: [xsl] Saxon vulnerability

Subject: Re: [xsl] Saxon vulnerability
From: "Roger L Costello costello@xxxxxxxxx" <xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx>
Date: Sat, 8 Mar 2025 14:50:09 -0000

Thank you again, Martin. I want to be certain that I have this correct, so I
can give my colleagues accurate information.

Is this accurate:

SAXON has a configuration property allowedProtocols that can be set to
"https,http" to allow only HTTPS and HTTP URIs to be resolved, while file URI
access should fail (i.e., access to the file should be blocked). However, when
allowedProtocols is set, SAXON fails to block file access when the string
given to unparsed-text contains a user-defined entity--via an ENTITY
declaration in a DTD--and the entity references a file.

Workaround: disable DTDs completely.

Current Thread
Re: [xsl] Saxon vulnerability, (continued) Roger L Costello costello@xxxxxxxxx - 8 Mar 2025 12:55:28 -0000 Martin Honnen martin.honnen@xxxxxx - 8 Mar 2025 13:30:01 -0000 Roger L Costello costello@xxxxxxxxx - 8 Mar 2025 13:50:39 -0000 Martin Honnen martin.honnen@xxxxxx - 8 Mar 2025 14:19:09 -0000 Roger L Costello costello@xxxxxxxxx - 8 Mar 2025 14:50:09 -0000 <= Martin Honnen martin.honnen@xxxxxx - 8 Mar 2025 15:00:50 -0000 Roger L Costello costello@xxxxxxxxx - 8 Mar 2025 15:23:13 -0000 Martin Honnen martin.honnen@xxxxxx - 8 Mar 2025 15:43:28 -0000 Liam R. E. Quin liam@xxxxxxxxxxxxxxxx - 8 Mar 2025 20:17:52 -0000

Current Thread

Re: [xsl] Saxon vulnerability, (continued)

<- Previous	Index	Next ->
Re: [xsl] Saxon vulnerability, Martin Honnen martin	Thread	Re: [xsl] Saxon vulnerability, Martin Honnen martin
Re: [xsl] Saxon vulnerability, Martin Honnen martin	Date	Re: [xsl] Saxon vulnerability, Martin Honnen martin
	Month

<-prev [Thread] next->	<-prev [Date] next->
Month Index \| List Home