[prev in list] [next in list] [prev in thread] [next in thread]
List: xml-security-dev
Subject: DO NOT REPLY [Bug 43145] New: - XSLT Transforms are not executed securely
From: bugzilla () apache ! org
Date: 2007-08-16 16:36:58
Message-ID: bug-43145-6260 () http ! issues ! apache ! org/bugzilla/
[Download RAW message or body]
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43145>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43145
Summary: XSLT Transforms are not executed securely
Product: Security
Version: Java 1.4.1
Platform: All
OS/Version: All
Status: NEW
Severity: major
Priority: P2
Component: Signature
AssignedTo: security-dev@xml.apache.org
ReportedBy: sean.mullan@sun.com
The XSLT Transform is not executed in a secure manner, which can allow
malicious scripts to be executed via XSLT extensions.
See Brad Hill's paper for more information:
http://www.isecpartners.com/files/XMLDSIG_Command_Injection.pdf
The proposed fix will be to specify the secure processing mode
(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING) when processing
XSLT stylesheets embedded in XLST Transforms. Since the FEATURE_SECURE_PROCESSING
was first introduced in JDK 5 (1.5), this problem still exists when running
on JDKs prior to 5. Therefore, there will be a runtime check that will disable
the XSLT transform if not running on JDK 5 or higher. This may affect
compatibility, but since this is a serious issue and there is a workaround
(upgrading to JDK 5) I believe this is the most appropriate fix.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic