Hi and thanks,
Speaking of security holes, has anything been done (or is planned to be) about the ability to turn off extensions (mainly xalan:redirect)? I cannot use Xalan in my server environment as I have to run untrusted stylesheets.
thanks again, -Rob
Christine Li wrote:
Hello,
As you may have noticed that I just opened a bug report[1] about some security issues in Xalan. After some serious investigation, I have created a patch to change various static variables that could open security holes. This patch includes changes to about 214 classes that cross 29 packages. It may have impact on your work, please be aware of the changes. In general, I did the following changes:
1. Added final modifier to static variables;
2. Reduced scope and added public get methods whenever it is appropriate;
3. Changed some static variable to instance variables;
4. Changed some interfaces to final classes, if those interfaces are used only to define constants
5. Removed the usage of System.exit;
6. For various org.apache.xml.utils.res.XResourceBundle, the getObject() methods return immutable array wrappers instead of arrays
7. Changed static methods of org.apache.xpath.compiler.FunctionTable to instance methods and the reference of a function table is passed around the processing to create an XPath object;
8. Changed the flags of FEATURE_INCREMENTAL, FEATURE_OPTIMIZE and FEATURE_SOURCE_LOCATION to instance variables in TransformerFactorImpl. So they will not be changed during a processing once a new Templates is created;
Please let me know if you have any concerns or comments.
Special thanks to Henry Zongaro ([EMAIL PROTECTED]) and Brian Minchau ([EMAIL PROTECTED])
[1] http://nagoya.apache.org/jira/browse/XALANJ-2008
Christine Li XSLT Development IBM Toronto Lab Tel: (905)413-2601 Email: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
