Bug#465885: please disable by default external Java method invocations in the XSLT 2.0 processor

Fri Feb 15 13:58:13 UTC 2008

Package: libsaxonb-java
Version: 9.0-2
Severity: important
Tags: patch, security

SaxonB, as previous Saxon versions, comes with calls on external Java
methods enabled by default. This is a security issue when processing
untrusted XSLT stylesheets, as is properly reported in README.Debian.
Still, I don't think it is enough to warn people in README.Debian, and I
would much prefer to have a patched version of SaxonB with external
method invocation disabled, explaining in README.Debian why it is
disabled and how to enable it back.

Attached you can find a patch which disables by default external Java
methods, and a new README.Debian which explains how to enable it back
from command line and other kinds of invocations.

Please consider applying the patch.

PS the README.Debian I ship gets rid of the content which explains how
to generally invoke SaxonB from the command line (beside the example for
enabling back external Java methods). The content was out of date
anyhow, but in a second forthcoming bugreport :-) I'm going to propose
some new content for that as well

PPS many thanks for having brought SaxonB in Debian!

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.24-1-686 (SMP w/1 CPU core)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libsaxonb-java depends on:
ii  gij [java2-runtime]         4:4.3-1      The GNU Java bytecode interpreter
ii  gij-4.1 [java2-runtime]     4.1.2-19     The GNU Java bytecode interpreter
ii  java-gcj-compat [java2-runt 1.0.77-4     Java runtime environment using GIJ
ii  libdom4j-java               1.6.1+dfsg-2 flexible XML framework for Java
ii  libjdom1-java               1.0-4        lightweight and fast library using
ii  libxom-java                 1.1-2        A new XML object model for Java
ii  sun-java6-jre [java2-runtim 6-04-2       Sun Java(TM) Runtime Environment (

libsaxonb-java recommends no packages.

-- no debconf information
-------------- next part --------------
Calls on external Java functions disabled by default
----------------------------------------------------

By default, the XSLT 2.0 processor of SaxonB enables calls on external Java
functions to be embedded in stylesheets. Such calls can invoke arbitrary Java
methods and are thus a security risk when executing untrusted XSLT stylesheets.
For this reason, SaxonB in Debian comes with calls on external Java functions
disabled by default.

If you are using the command line interface of the XSLT 2.0 processor of Saxon,
you can enable this feature by passing the "-ext:on" flag to your command line
invocation. For example:

  CLASSPATH=/usr/share/java/saxonb.jar \
  java net.sf.saxon.Transform -ext:on -s:input.xml -xsl:style.xsl -o:output.xml

If you are using SaxonB from its Java API you should set the Attribute
"FeatureKeys.ALLOW_EXTERNAL_FUNCTIONS" to "true". See the API reference in the
libsaxonb-java-doc package for more information.

 -- Stefano Zacchiroli <zack at debian.org>  Fri, 15 Feb 2008 14:47:43 +0100
-------------- next part --------------
diff -Naur saxonb-9.0/src/net/sf/saxon/Configuration.java saxonb-9.0.zack/src/net/sf/saxon/Configuration.java

--- saxonb-9.0/src/net/sf/saxon/Configuration.java	2008-02-15 14:41:06.000000000 +0100
+++ saxonb-9.0.zack/src/net/sf/saxon/Configuration.java	2008-02-15 14:39:53.000000000 +0100
@@ -121,7 +121,7 @@
     private transient OutputURIResolver outputURIResolver;
     private boolean timing = false;
     private boolean versionWarning = true;
-    private boolean allowExternalFunctions = true;
+    private boolean allowExternalFunctions = false;
     private boolean traceExternalFunctions = false;
     private boolean validation = false;
     private boolean allNodesUntyped = false;
