cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Koberg" <...@koberg.com>
Subject RE: XSL Security question
Date Thu, 30 Jan 2003 16:09:08 GMT
Hi,

> -----Original Message-----
> From: Hunsberger, Peter [mailto:Peter.Hunsberger@stjude.org]
> Sent: Thursday, January 30, 2003 7:48 AM
> To: 'cocoon-dev@xml.apache.org'
> Subject: RE: XSL Security question
>
>
> > Where the files directory would contain a user's directory which user's
> could upload
> > there own versions of the stylesheets, ie. skins I would want to define a
> specific
> > transformer that would not affect the transformations in the rest of the
> application
> > but would limit the user to using basic xsl transformations or to limit
> the user to
> > his xsl file and that alone.
> <snip>
> > Does anyone have any ideas on how to implement this safely or is it just a
> bad idea?
>
> Hi Andrew,
>
> This seems like a bad idea: skins are configuration data, giving someone a
> programming language to implement data doesn't make sense.  Instead let them
> define an XML file with various settings that define how the skin
> implemented.  Then use an XSLT to combine their configuration data with any
> other default configuration data.  Since there are many people already doing
> exactly this you may want to look around a little and, in particular, pay
> some attention to Forrest if you haven't already done so...
>

There are definitely situations where you need to have project defined XSLT. We
use a comination of chroot jails (if shell access) and URIResolvers to keep the
dev-user where they should be. Also, since we use Saxon, we turn off extensions
with:

  TransformerFactory factory = TransformerFactory.newInstance();
  factory.setAttribute(FeatureKeys.ALLOW_EXTERNAL_FUNCTIONS, new
Boolean(false));

The URIResolver only checks the client's available (cached?) files:

  boolean isValidHref(File f) {
  	String req_f = f.getAbsolutePath();
  	if (req_f.startsWith(ServletContext.getRealPath(this.client_path))) {
  		return true;
  	}
  	return false;// the URIResolver returns a
                   // StreamSource(StringReader("<file not available/>"))
  }

What am I missing? :-o

-Rob


---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org


Mime
View raw message