Bug#465885: please disable by default external Java method invocations in the XSLT 2.0 processor
Michael Koch
konqueror at gmx.de
Sat Feb 16 19:27:48 UTC 2008
On Sat, Feb 16, 2008 at 12:11:15PM +0100, Stefano Zacchiroli wrote:
> On Fri, Feb 15, 2008 at 02:58:13PM +0100, Stefano Zacchiroli wrote:
> > Calls on external Java functions disabled by default
> > ----------------------------------------------------
> >
> > By default, the XSLT 2.0 processor of SaxonB enables calls on external Java
> > functions to be embedded in stylesheets. Such calls can invoke arbitrary Java
> > methods and are thus a security risk when executing untrusted XSLT stylesheets.
> > For this reason, SaxonB in Debian comes with calls on external Java functions
> > disabled by default.
>
> Actually, this is not specific of the XSLT 2.0 processor. Also the
> XQuery processor of SaxonB is affected (I've just discovered this while
> writing the manpage for saxonb-xquery).
>
> The patch is general enough to fix both cases, as it effects the global
> SaxonB configuration, but the above text need to be reworded. I hereby
> propose the following text:
>
> > By default, SaxonB enables calls on external Java functions to be
> > embedded in stylesheets or queries. Such calls can invoke arbitrary
> > Java methods and are thus a security risk when executing untrusted
> > XSLT stylesheets of XQuery queries. For this reason, SaxonB in Debian
> > comes with calls on external Java functions disabled by default.
> >
> > If you are using the command line interface to the XSLT 2.0 or XQuery
> > processors of Saxon, you can enable this feature by passing the
> > "-ext:on" flag to your command line invocation.
> >
> > If you are using SaxonB from its Java API you should set the Attribute
> > "FeatureKeys.ALLOW_EXTERNAL_FUNCTIONS" to "true". See the API
> > reference in the libsaxonb-java-doc package for more information.
>
> What about it?
Looks good. Commited.
Cheers,
Michael
More information about the pkg-java-maintainers
mailing list