[jira] [Created] (XALANJ-2557) Security: Every namespace declared by the stylesheet is registered as an extension namespace, making it virtually impossible to scan for 'dangerous' namespaces in a stylesheet

Fri, 04 May 2012 10:45:13 -0700 

David Ward created XALANJ-2557:
----------------------------------

             Summary: Security: Every namespace declared by the stylesheet is 
registered as an extension namespace, making it virtually impossible to scan 
for 'dangerous' namespaces in a stylesheet
                 Key: XALANJ-2557
                 URL: https://issues.apache.org/jira/browse/XALANJ-2557
             Project: XalanJ2
          Issue Type: Bug
      Security Level: No security risk; visible to anyone (Ordinary problems in 
Xalan projects.  Anybody can view the issue.)
          Components: Xalan-extensions
    Affects Versions: 2.7.1
            Reporter: David Ward
            Assignee: Steven J. Hathaway
            Priority: Critical


As per the documentation:

http://xml.apache.org/xalan-j/extensions.html#java-namespace-declare
    Although the namespace declarations for the class and package formats are
    shown with the xalan:// prefix, the current implementation for those formats
    will simply use the string to the right of the rightmost forward slash as 
the
    Java class name. This format, however, is the preferred format for extension
    namespace declarations.

It's not crystal clear in the above documentation that any class URI can be 
used. Not just those with a certain prefix. For example

http://foo/java.io.File

will be registered with the 
org.apache.xalan.extensions.ExtensionHandlerJavaClass because the suggested 
class URI format is not enforced.

This is a quandary for those of us that need to use the Java extension space, 
but want to use an XML filter to provide a modicum security in order to limit 
what extensions can be used. FEATURE_SECURE_PROCESSING seems to be all or 
nothing. Given the above, the use of a Java extension is difficult to detect.

Perhaps there is room to add a feature to enforce the suggested class URI 
format in order to provide a better middle of the road approach to security.

An example 'innocent' looking stylesheet

<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"; 
xmlns:file="http://myfoo/java.io.File"; version="1.0" 
extension-element-prefixes="file">
<xsl:template match="/">
<xsl:variable name="f" select="file:new("/tmp/iwashere")"/>
<xsl:variable name="c" select="file:createNewFile($f)"/>
</xsl:template>
</xsl:stylesheet>

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to