1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
Description: Fix for CVE-2014-0107: Strengthen the secure processing mode by
disabling external general entities, foreign attributes and access to the
system properties. This could be exploited to execute arbitrary code remotely.
Origin: https://svn.apache.org/r1581058
Bug-Debian: https://bugs.debian.org/742577
--- a/src/org/apache/xalan/transformer/TransformerImpl.java
+++ b/src/org/apache/xalan/transformer/TransformerImpl.java
@@ -438,7 +438,9 @@
try
{
if (sroot.getExtensions() != null)
- m_extensionsTable = new ExtensionsTable(sroot);
+ //only load extensions if secureProcessing is disabled
+ if(!sroot.isSecureProcessing())
+ m_extensionsTable = new ExtensionsTable(sroot);
}
catch (javax.xml.transform.TransformerException te)
{te.printStackTrace();}
--- a/src/org/apache/xalan/processor/XSLTElementProcessor.java
+++ b/src/org/apache/xalan/processor/XSLTElementProcessor.java
@@ -338,17 +338,29 @@
}
else
{
- // Can we switch the order here:
-
- boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
- attributes.getQName(i), attributes.getValue(i),
- target);
-
- // Now we only add the element if it passed a validation check
- if (success)
- processedDefs.add(attrDef);
+ //handle secure processing
+ if(attrDef.getName().compareTo("*")==0 && handler.getStylesheetProcessor().isSecureProcessing())
+ {
+ //foreign attributes are not allowed in secure processing mode
+ // Then barf, because this element does not allow this attribute.
+ handler.error(XSLTErrorResources.ER_ATTR_NOT_ALLOWED, new Object[]{attributes.getQName(i), rawName}, null);//"\""+attributes.getQName(i)+"\""
+ //+ " attribute is not allowed on the " + rawName
+ // + " element!", null);
+ }
else
- errorDefs.add(attrDef);
+ {
+
+
+ boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
+ attributes.getQName(i), attributes.getValue(i),
+ target);
+
+ // Now we only add the element if it passed a validation check
+ if (success)
+ processedDefs.add(attrDef);
+ else
+ errorDefs.add(attrDef);
+ }
}
}
--- a/src/org/apache/xalan/processor/TransformerFactoryImpl.java
+++ b/src/org/apache/xalan/processor/TransformerFactoryImpl.java
@@ -335,6 +335,10 @@
reader = XMLReaderFactory.createXMLReader();
}
+ if(m_isSecureProcessing)
+ {
+ reader.setFeature("http://xml.org/sax/features/external-general-entities",false);
+ }
// Need to set options!
reader.setContentHandler(handler);
reader.parse(isource);
--- a/src/org/apache/xpath/functions/FuncSystemProperty.java
+++ b/src/org/apache/xpath/functions/FuncSystemProperty.java
@@ -58,7 +58,7 @@
String fullName = m_arg0.execute(xctxt).str();
int indexOfNSSep = fullName.indexOf(':');
- String result;
+ String result = null;
String propName = "";
// List of properties where the name of the
@@ -98,8 +98,17 @@
try
{
- result = System.getProperty(propName);
-
+ //if secure procession is enabled only handle required properties do not not map any valid system property
+ if(!xctxt.isSecureProcessing())
+ {
+ result = System.getProperty(propName);
+ }
+ else
+ {
+ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
+ new Object[]{ propName }); //"SecurityException when trying to access XSL system property: "+propName);
+ result = xsltInfo.getProperty(propName);
+ }
if (null == result)
{
@@ -120,8 +129,17 @@
{
try
{
- result = System.getProperty(fullName);
-
+ //if secure procession is enabled only handle required properties do not not map any valid system property
+ if(!xctxt.isSecureProcessing())
+ {
+ result = System.getProperty(fullName);
+ }
+ else
+ {
+ warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
+ new Object[]{ fullName }); //"SecurityException when trying to access XSL system property: "+fullName);
+ result = xsltInfo.getProperty(fullName);
+ }
if (null == result)
{
|
