On Sat, Feb 16, 2008 at 12:11:15PM +0100, Stefano Zacchiroli wrote: > On Fri, Feb 15, 2008 at 02:58:13PM +0100, Stefano Zacchiroli wrote: > > Calls on external Java functions disabled by default > > ---------------------------------------------------- > > > > By default, the XSLT 2.0 processor of SaxonB enables calls on external Java > > functions to be embedded in stylesheets. Such calls can invoke arbitrary > > Java > > methods and are thus a security risk when executing untrusted XSLT > > stylesheets. > > For this reason, SaxonB in Debian comes with calls on external Java > > functions > > disabled by default. > > Actually, this is not specific of the XSLT 2.0 processor. Also the > XQuery processor of SaxonB is affected (I've just discovered this while > writing the manpage for saxonb-xquery). > > The patch is general enough to fix both cases, as it effects the global > SaxonB configuration, but the above text need to be reworded. I hereby > propose the following text: > > > By default, SaxonB enables calls on external Java functions to be > > embedded in stylesheets or queries. Such calls can invoke arbitrary > > Java methods and are thus a security risk when executing untrusted > > XSLT stylesheets of XQuery queries. For this reason, SaxonB in Debian > > comes with calls on external Java functions disabled by default. > > > > If you are using the command line interface to the XSLT 2.0 or XQuery > > processors of Saxon, you can enable this feature by passing the > > "-ext:on" flag to your command line invocation. > > > > If you are using SaxonB from its Java API you should set the Attribute > > "FeatureKeys.ALLOW_EXTERNAL_FUNCTIONS" to "true". See the API > > reference in the libsaxonb-java-doc package for more information. > > What about it?
Looks good. Commited. Cheers, Michael -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]