On Sat, 2025-03-08 at 15:23 +0000, Roger L Costello costello@xxxxxxxxx
>
> Workaround: prevent parse-xml() from doing any DTD/DOCTYPE access;
> disable DTD/DOCTYPE (https://saxonica.plan.io/issues/6711#note-12)
It is important to understand that the vulnerability only applies when
using Saxon on untrusted XML input in a locked-down environment. For
example, consider an XSLT service on the Web, where anyone can upload a
document and stylesheet and get back the result of a transformation.
They can exploit this vulnerability to access any text file on the
system, at least as long as it doesn't contain < > or & characters.
Itb� might also be possible to exploit this using a stylesheet too -
<!DOCTYPE xsl:stylesheet [
<!ENTITY naughty SYSTEM "file:///etc/group">
]>
<xsl:stylesheet .....
<xsl:variable name="bad">
&naghty;
</xsl:variable>
but i donb�t know that for sure.
But again, this applies only where you're running the XSLT remotely,
and lets you access files on the remote server, if the XSLT processor
is not running (as it should be) in a container (or chroot jail on
Linux or Unix, as an older alternative).
Running locally and using the results yourself, it won't tell you
anything you could have found out more easily in other ways :)
liam
--
Liam Quin,B https://www.delightfulcomputing.com/
Available for XML/Document/Information Architecture/XSLT/
XSL/XQuery/Web/Text Processing/A11Y training, work & consulting.
Barefoot Web-slave, antique illustrations: B http://www.fromoldbooks.org