On Fri, Feb 15, 2008 at 02:58:13PM +0100, Stefano Zacchiroli wrote: > Calls on external Java functions disabled by default > ---------------------------------------------------- > > By default, the XSLT 2.0 processor of SaxonB enables calls on external Java > functions to be embedded in stylesheets. Such calls can invoke arbitrary Java > methods and are thus a security risk when executing untrusted XSLT > stylesheets. > For this reason, SaxonB in Debian comes with calls on external Java functions > disabled by default.
Actually, this is not specific of the XSLT 2.0 processor. Also the XQuery processor of SaxonB is affected (I've just discovered this while writing the manpage for saxonb-xquery). The patch is general enough to fix both cases, as it effects the global SaxonB configuration, but the above text need to be reworded. I hereby propose the following text: > By default, SaxonB enables calls on external Java functions to be > embedded in stylesheets or queries. Such calls can invoke arbitrary > Java methods and are thus a security risk when executing untrusted > XSLT stylesheets of XQuery queries. For this reason, SaxonB in Debian > comes with calls on external Java functions disabled by default. > > If you are using the command line interface to the XSLT 2.0 or XQuery > processors of Saxon, you can enable this feature by passing the > "-ext:on" flag to your command line invocation. > > If you are using SaxonB from its Java API you should set the Attribute > "FeatureKeys.ALLOW_EXTERNAL_FUNCTIONS" to "true". See the API > reference in the libsaxonb-java-doc package for more information. What about it? -- Stefano Zacchiroli -*- PhD in Computer Science ............... now what? [EMAIL PROTECTED],cs.unibo.it,debian.org} -<%>- http://upsilon.cc/zack/ (15:56:48) Zack: e la demo dema ? /\ All one has to do is hit the (15:57:15) Bac: no, la demo scema \/ right keys at the right time
signature.asc
Description: Digital signature
