This is an automated email from the git hooks/post-receive script.
ebourg-guest pushed a commit to branch master
in repository saxonb.
commit 5e8d6fe5b92071e28995177f468097a3bd53bac6
Author: Michael Koch <konqueror at gmx.de>
Date: Fri Feb 15 20:18:22 2008 +0000
saxonb (9.0-3) UNRELEASED; urgency=low
* Disabled external method invocation by default, as it is insecure.
See README.Debian how to enable this if needed. Closes: #465885.
Thanks to Stefano Zacchiroli for the patch.
-- Michael Koch <konqueror at gmx.de> Fri, 15 Feb 2008 21:25:48 +0100
---
debian/README.Debian | 38 +++++++++-------------
debian/changelog | 8 +++++
.../disable-external-method-invocation.patch | 11 +++++++
3 files changed, 35 insertions(+), 22 deletions(-)
diff --git a/debian/README.Debian b/debian/README.Debian
index 23db98e..3e9bf42 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -1,27 +1,21 @@
-libsaxon-java for debian
--------------------------
+Calls on external Java functions disabled by default
+----------------------------------------------------
-To process with Saxon, issue a command like the following (all on one line):
+By default, the XSLT 2.0 processor of SaxonB enables calls on external Java
+functions to be embedded in stylesheets. Such calls can invoke arbitrary Java
+methods and are thus a security risk when executing untrusted XSLT stylesheets.
+For this reason, SaxonB in Debian comes with calls on external Java functions
+disabled by default.
-java -classpath /usr/share/java/saxon.jar com.icl.saxon.StyleSheet \
- file.xml stylesheet.xsl
+If you are using the command line interface of the XSLT 2.0 processor of Saxon,
+you can enable this feature by passing the "-ext:on" flag to your command line
+invocation. For example:
-See the html docs for more details.
+ CLASSPATH=/usr/share/java/saxonb.jar \
+ java net.sf.saxon.Transform -ext:on -s:input.xml -xsl:style.xsl -o:output.xml
-SECURITY WARNING:
-By default, saxon allows arbitrary java methods to be executed from an XSLT.
-If you do not trust the XSLTs or you use saxon inside e.g. servlet where you
-cannot control which stylesheets get executed, be sure to disable the use of
-extension functions.
+If you are using SaxonB from its Java API you should set the Attribute
+"FeatureKeys.ALLOW_EXTERNAL_FUNCTIONS" to "true". See the API reference in the
+libsaxonb-java-doc package for more information.
-How to disable execution of extensions:
-
-From the commandline:
-Use the -noext switch to suppress calls on extension functions, other than
-system-supplied Saxon and EXSLT extension functions.
-
-From inside Java:
-Set the Attribute 'FeatureKeys.ALLOW_EXTERNAL_FUNCTIONS' to 'false'
-on the TransformerFactory used to process the Stylesheet.
-
-- Wolfgang Baer <WBaer at gmx.de> Thu, 5 Jan 2006 11:25:01 +0100
+ -- Stefano Zacchiroli <zack at debian.org> Fri, 15 Feb 2008 14:47:43 +0100
diff --git a/debian/changelog b/debian/changelog
index 14df875..315fc67 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+saxonb (9.0-3) UNRELEASED; urgency=low
+
+ * Disabled external method invocation by default, as it is insecure.
+ See README.Debian how to enable this if needed. Closes: #465885.
+ Thanks to Stefano Zacchiroli for the patch.
+
+ -- Michael Koch <konqueror at gmx.de> Fri, 15 Feb 2008 21:25:48 +0100
+
saxonb (9.0-2) unstable; urgency=low
* Add libxom-java to (Build-)Depends. Closes: #464286
diff --git a/debian/patches/disable-external-method-invocation.patch b/debian/patches/disable-external-method-invocation.patch
new file mode 100644
index 0000000..0cd0339
--- /dev/null
+++ b/debian/patches/disable-external-method-invocation.patch
@@ -0,0 +1,11 @@
+--- src/net/sf/saxon/Configuration.java.orig 2008-02-15 21:24:24.000000000 +0100
++++ src/net/sf/saxon/Configuration.java 2008-02-15 21:24:49.000000000 +0100
+@@ -121,7 +121,7 @@
+ private transient OutputURIResolver outputURIResolver;
+ private boolean timing = false;
+ private boolean versionWarning = true;
+- private boolean allowExternalFunctions = true;
++ private boolean allowExternalFunctions = false;
+ private boolean traceExternalFunctions = false;
+ private boolean validation = false;
+ private boolean allNodesUntyped = false;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/saxonb.git