|
Subject: Re: [xsl] Saxon vulnerability From: "Martin Honnen martin.honnen@xxxxxx" <xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx> Date: Sat, 8 Mar 2025 15:00:50 -0000 |
On 08/03/2025 15:50, Roger L Costello costello@xxxxxxxxx wrote: > Thank you again, Martin. I want to be certain that I have this correct, so I can give my colleagues accurate information. > > > > Is this accurate: > > > > SAXON has a configuration property allowedProtocols that can be set to "https,http" to allow only HTTPS and HTTP URIs to be resolved, while file URI access should fail (i.e., access to the file should be blocked). However, when allowedProtocols is set, SAXON fails to block file access when the string given to unparsed-text contains a user-defined entity--via an ENTITY declaration in a DTD--and the entity references a file. Roger, the original posting you had did use parse-xml with an external entity, I am not sure why you now bring up unparsed-text which doesn't use an XML parser or entity resolution, other than that I pointed out that unparsed-text file URI access is blocked by setting https,http for allowedProtocols. So with unparsed-text there is no vulnerability as far as I am aware, the vulnerability is in the context of XML parsing, at least with parse-xml, where you can feed a DTD with a SYSTEM identifier pointing with a file URI to a local file and where the current mechanism of allowedProtocols set to "https,http" fails to block that file URI entity resolution (in the context of XML parsing, at least with parse-xml). As for the workaround, yes, the property suggested in https://saxonica.plan.io/issues/6711#note-12 disables the use of DTDs/DOCTYPE.
| Current Thread |
|---|
|
| <- Previous | Index | Next -> |
|---|---|---|
| Re: [xsl] Saxon vulnerability, Roger L Costello cos | Thread | Re: [xsl] Saxon vulnerability, Roger L Costello cos |
| Re: [xsl] Saxon vulnerability, Roger L Costello cos | Date | Re: [xsl] Saxon vulnerability, Roger L Costello cos |
| Month |