Re: [xsl] Saxon vulnerability

Subject: Re: [xsl] Saxon vulnerability
From: "Martin Honnen martin.honnen@xxxxxx" <xsl-list-service@xxxxxxxxxxxxxxxxxxxxxx>
Date: Sat, 8 Mar 2025 15:43:28 -0000

On 08/03/2025 16:23, Roger L Costello costello@xxxxxxxxx wrote:

Sorry Martin, but may I ask of you one more time to review this for accuracy:

SAXON has a configuration property allowedProtocols that can be set to "https,http" to allow only HTTPS and HTTP URIs to be resolved, while file URI access should fail (i.e., access to the file should be blocked). However, when allowedProtocols is set, SAXON fails to block file access when the string given to parse-xml() contains a user-defined entity--via an ENTITY declaration (in a DOCTYPE or in a DTD)--and the entity references a file.

Workaround: prevent parse-xml() from doing any DTD/DOCTYPE access; disable DTD/DOCTYPE (https://saxonica.plan.io/issues/6711#note-12)

That seems accurate to me.

Current Thread
Re: [xsl] Saxon vulnerability, (continued) Martin Honnen martin.honnen@xxxxxx - 8 Mar 2025 14:19:09 -0000 Roger L Costello costello@xxxxxxxxx - 8 Mar 2025 14:50:09 -0000 Martin Honnen martin.honnen@xxxxxx - 8 Mar 2025 15:00:50 -0000 Roger L Costello costello@xxxxxxxxx - 8 Mar 2025 15:23:13 -0000 Martin Honnen martin.honnen@xxxxxx - 8 Mar 2025 15:43:28 -0000 <= Liam R. E. Quin liam@xxxxxxxxxxxxxxxx - 8 Mar 2025 20:17:52 -0000

Current Thread

Re: [xsl] Saxon vulnerability, (continued)

<- Previous	Index	Next ->
Re: [xsl] Saxon vulnerability, Roger L Costello cos	Thread	Re: [xsl] Saxon vulnerability, Liam R. E. Quin liam
Re: [xsl] Saxon vulnerability, Roger L Costello cos	Date	Re: [xsl] Saxon vulnerability, Liam R. E. Quin liam
	Month

<-prev [Thread] next->	<-prev [Date] next->
Month Index \| List Home