Bug#465885: please disable by default external Java method invocations in the XSLT 2.0 processor
Stefano Zacchiroli
zack at debian.org
Sat Feb 16 11:11:15 UTC 2008
On Fri, Feb 15, 2008 at 02:58:13PM +0100, Stefano Zacchiroli wrote:
> Calls on external Java functions disabled by default
> ----------------------------------------------------
>
> By default, the XSLT 2.0 processor of SaxonB enables calls on external Java
> functions to be embedded in stylesheets. Such calls can invoke arbitrary Java
> methods and are thus a security risk when executing untrusted XSLT stylesheets.
> For this reason, SaxonB in Debian comes with calls on external Java functions
> disabled by default.
Actually, this is not specific of the XSLT 2.0 processor. Also the
XQuery processor of SaxonB is affected (I've just discovered this while
writing the manpage for saxonb-xquery).
The patch is general enough to fix both cases, as it effects the global
SaxonB configuration, but the above text need to be reworded. I hereby
propose the following text:
> By default, SaxonB enables calls on external Java functions to be
> embedded in stylesheets or queries. Such calls can invoke arbitrary
> Java methods and are thus a security risk when executing untrusted
> XSLT stylesheets of XQuery queries. For this reason, SaxonB in Debian
> comes with calls on external Java functions disabled by default.
>
> If you are using the command line interface to the XSLT 2.0 or XQuery
> processors of Saxon, you can enable this feature by passing the
> "-ext:on" flag to your command line invocation.
>
> If you are using SaxonB from its Java API you should set the Attribute
> "FeatureKeys.ALLOW_EXTERNAL_FUNCTIONS" to "true". See the API
> reference in the libsaxonb-java-doc package for more information.
What about it?
--
Stefano Zacchiroli -*- PhD in Computer Science ............... now what?
zack@{upsilon.cc,cs.unibo.it,debian.org} -<%>- http://upsilon.cc/zack/
(15:56:48) Zack: e la demo dema ? /\ All one has to do is hit the
(15:57:15) Bac: no, la demo scema \/ right keys at the right time
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20080216/f8d4ba40/attachment.pgp
More information about the pkg-java-maintainers
mailing list