[XSL-LIST Mailing List Archive Home]
[By Thread]
[By Date]
Indeed, you have cited some serious problems. However, I disagree with you on their exact nature and origin.
Why would someone allow users to pass input directly to an XPath evaluate function? This seems to me like a bad idea. Furthermore, proper use of permissions should prevent access to system configuration files.
What is such an extension function even doing in an XSLT processor!? Furthermore, it seems similarly absurd for an admin not to configure the system's permissions to preclude such things.
I don't think it makes sense to handicap a standard, based on vulnerabilities introduced by nonstandard extensions used on poorly administrated systems.
Matthew Gruenke
_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx
XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
RE: [xsl] The evaluate function
Subject: RE: [xsl] The evaluate function From: "Matt G." <matt_g_@xxxxxxxxxxx> Date: Fri, 04 Jan 2002 01:43:20 |
Apart from all the issues mentioned by Mr.Kay, an eval() function makes it rather easy to open security holes in a style sheet.
Indeed, you have cited some serious problems. However, I disagree with you on their exact nature and origin.
For example, once you figured out you can put a XPath into
the nice "Enter your query here" field which is passed
directly to an eval() function, what will stop you from
entering document("file:///C/Documents and >Settings/Administrator/preferences.xml")?
Why would someone allow users to pass input directly to an XPath evaluate function? This seems to me like a bad idea. Furthermore, proper use of permissions should prevent access to system configuration files.
Or, if extension functions may be called indiscriminately: mswin:delete("C:\*.*","recursive")
What is such an extension function even doing in an XSLT processor!? Furthermore, it seems similarly absurd for an admin not to configure the system's permissions to preclude such things.
I don't think it makes sense to handicap a standard, based on vulnerabilities introduced by nonstandard extensions used on poorly administrated systems.
Matthew Gruenke
_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx
XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
Current Thread |
---|
|
<- Previous | Index | Next -> |
---|---|---|
RE: [xsl] The evaluate function, Brinkman, Theodore | Thread | RE: [xsl] The evaluate function, Joerg Pietschmann |
Re: [xsl] Re: Re: Assignment no, dy, Terje Norderhaug | Date | [xsl] Re: Re: Re: Assignment no, dy, Dimitre Novatchev |
Month |