[pkg-java] r5718 - in trunk/saxonb/debian: . patches

mkoch at alioth.debian.org mkoch at alioth.debian.org
Fri Feb 15 20:18:22 UTC 2008 

Author: mkoch
Date: 2008-02-15 20:18:22 +0000 (Fri, 15 Feb 2008)
New Revision: 5718

Added:
   trunk/saxonb/debian/patches/disable-external-method-invocation.patch
Modified:
   trunk/saxonb/debian/README.Debian
   trunk/saxonb/debian/changelog
Log:
saxonb (9.0-3) UNRELEASED; urgency=low

  * Disabled external method invocation by default, as it is insecure.
    See README.Debian how to enable this if needed. Closes: #465885.
    Thanks to Stefano Zacchiroli for the patch.

 -- Michael Koch <konqueror at gmx.de>  Fri, 15 Feb 2008 21:25:48 +0100



Modified: trunk/saxonb/debian/README.Debian
===================================================================
--- trunk/saxonb/debian/README.Debian	2008-02-15 20:06:21 UTC (rev 5717)
+++ trunk/saxonb/debian/README.Debian	2008-02-15 20:18:22 UTC (rev 5718)
@@ -1,27 +1,21 @@
-libsaxon-java for debian
--------------------------
+Calls on external Java functions disabled by default
+----------------------------------------------------
 
-To process with Saxon, issue a command like the following (all on one line):
+By default, the XSLT 2.0 processor of SaxonB enables calls on external Java
+functions to be embedded in stylesheets. Such calls can invoke arbitrary Java
+methods and are thus a security risk when executing untrusted XSLT stylesheets.
+For this reason, SaxonB in Debian comes with calls on external Java functions
+disabled by default.
 
-java -classpath /usr/share/java/saxon.jar com.icl.saxon.StyleSheet \
-      file.xml stylesheet.xsl 
+If you are using the command line interface of the XSLT 2.0 processor of Saxon,
+you can enable this feature by passing the "-ext:on" flag to your command line
+invocation. For example:
 
-See the html docs for more details.
+  CLASSPATH=/usr/share/java/saxonb.jar \
+  java net.sf.saxon.Transform -ext:on -s:input.xml -xsl:style.xsl -o:output.xml
 
-SECURITY WARNING:
-By default, saxon allows arbitrary java methods to be executed from an XSLT.
-If you do not trust the XSLTs or you use saxon inside e.g. servlet where you 
-cannot control which stylesheets get executed, be sure to disable the use of 
-extension functions.
+If you are using SaxonB from its Java API you should set the Attribute
+"FeatureKeys.ALLOW_EXTERNAL_FUNCTIONS" to "true". See the API reference in the
+libsaxonb-java-doc package for more information.
 
-How to disable execution of extensions:
-
-From the commandline:
-Use the -noext switch to suppress calls on extension functions, other than 
-system-supplied Saxon and EXSLT extension functions.
-
-From inside Java:
-Set the Attribute 'FeatureKeys.ALLOW_EXTERNAL_FUNCTIONS' to 'false'
-on the TransformerFactory used to process the Stylesheet.
-
--  Wolfgang Baer <WBaer at gmx.de>  Thu,  5 Jan 2006 11:25:01 +0100
+ -- Stefano Zacchiroli <zack at debian.org>  Fri, 15 Feb 2008 14:47:43 +0100

Modified: trunk/saxonb/debian/changelog
===================================================================
--- trunk/saxonb/debian/changelog	2008-02-15 20:06:21 UTC (rev 5717)
+++ trunk/saxonb/debian/changelog	2008-02-15 20:18:22 UTC (rev 5718)
@@ -1,3 +1,11 @@
+saxonb (9.0-3) UNRELEASED; urgency=low
+
+  * Disabled external method invocation by default, as it is insecure.
+    See README.Debian how to enable this if needed. Closes: #465885.
+    Thanks to Stefano Zacchiroli for the patch.
+
+ -- Michael Koch <konqueror at gmx.de>  Fri, 15 Feb 2008 21:25:48 +0100
+
 saxonb (9.0-2) unstable; urgency=low
 
   * Add libxom-java to (Build-)Depends. Closes: #464286

Added: trunk/saxonb/debian/patches/disable-external-method-invocation.patch
===================================================================
--- trunk/saxonb/debian/patches/disable-external-method-invocation.patch	                        (rev 0)
+++ trunk/saxonb/debian/patches/disable-external-method-invocation.patch	2008-02-15 20:18:22 UTC (rev 5718)
@@ -0,0 +1,11 @@
+--- src/net/sf/saxon/Configuration.java.orig	2008-02-15 21:24:24.000000000 +0100
++++ src/net/sf/saxon/Configuration.java	2008-02-15 21:24:49.000000000 +0100
+@@ -121,7 +121,7 @@
+     private transient OutputURIResolver outputURIResolver;
+     private boolean timing = false;
+     private boolean versionWarning = true;
+-    private boolean allowExternalFunctions = true;
++    private boolean allowExternalFunctions = false;
+     private boolean traceExternalFunctions = false;
+     private boolean validation = false;
+     private boolean allNodesUntyped = false;

More information about the pkg-java-commits mailing list