external/xmlsec/ExternalProject_xmlsec.mk | 7 +++++++
1 file changed, 7 insertions(+)
New commits:
commit 27864eb5b085d4f7a881e24d1e4509f18c320849
Author: Michael Stahl <michael.st...@allotropia.de>
AuthorDate: Thu Aug 12 12:23:34 2021 +0200
Commit: Michael Stahl <michael.st...@allotropia.de>
CommitDate: Fri Aug 13 11:20:23 2021 +0200
xmlsec: add XSLT safety warning label
Change-Id: I8d5ac40ec0c0b0a9fb3fb369578ff1f14b512254
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/120387
Reviewed-by: Michael Stahl <michael.st...@allotropia.de>
Tested-by: Jenkins
diff --git a/external/xmlsec/ExternalProject_xmlsec.mk
b/external/xmlsec/ExternalProject_xmlsec.mk
index 4fa4aea834b1..d1e2e5af2707 100644
--- a/external/xmlsec/ExternalProject_xmlsec.mk
+++ b/external/xmlsec/ExternalProject_xmlsec.mk
@@ -18,6 +18,13 @@ $(eval $(call gb_ExternalProject_register_targets,xmlsec,\
build \
))
+# note: it's possible to use XSLT in XML signatures - that appears to be a
+# really bad idea from a security point of view though, because it will run
+# an XSLT script supplied as untrusted input, and XSLT implementations
+# tend to have extension functions, and some of these trivially allow
+# running arbitrary code... so investigate the situation with libxslt
+# before enabling it here; hopefully nobody uses XSLT in practice anyway.
+
ifeq ($(OS),WNT)
$(eval $(call gb_ExternalProject_use_nmake,xmlsec,build))
