perl-embperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gerald Richter" <rich...@ecos.de>
Subject Re: Default xsltparam
Date Wed, 09 Jun 2004 11:24:28 GMT
Jochen Topf wrote:
> Hi!
>
> When using XSLT with Execute() like this:
>
> $ret = Execute({
>     inputfile      => 'foo.xml',
>     recipe         => 'EmbperlXSLT',
>     xsltstylesheet => 'foo.xsl',
> });
>
> without an 'xsltparam', the %fdat hash is used as default 'xsltparam'.
>
> I think this
> a) violates the principle of least surprise. It surprised me a lot and
>    spend half an hour to figure out what a strange LibXSLT error meant
>    that resulted from this. After I found it in the source code I also
>    found it in the documentation, but I still think its the wrong
>    thing to do because
> b) is a potential security risk. It means data that is supplied by the
>    client (and can be anything) is fed into the XSLT engine as
>    parameter without checking it first.
>

It is build in for convenience, but you are right the current implementation
is a security risk. The default behaviour should be to quote all values.
>From my point of view this should remove all security problem and doesn't
give a problem.

What do you think?

Gerald



> In the best case (this is what happend to me) you have a URL like
> this:
>
> /foo.html?bar=x+y
>
> which gets translated to
>
> $fdat{'bar'} = 'x y'
>
> Now XSLT sees a parameter 'x y' (without the single quotes), which it
> can't parse and so it dies. This happens even if the XSLT stylesheet
> never actually defines any parameters of its own. I bet many Embperl
> webpages of many users can be broken just by adding spurious
> parameters to the URL.
>
> In a worse case the parameter could be carefully chosen to reveal data
> from an XML file that shouldn't be revealed.
>
> The workaround is easy, just supply an empty xsltparam. But I still
> think the default should be changed.
>
> Jochen

---------------------------------------------------------------------------
Gerald Richter            ecos electronic communication services gmbh
IT-Securitylösungen * Webapplikationen mit Apache/Perl/mod_perl/Embperl

Post:       Tulpenstrasse 5          D-55276 Dienheim b. Mainz
E-Mail:     richter@ecos.de          Voice:   +49 6133 939-122
WWW:        http://www.ecos.de/      Fax:     +49 6133 939-333
---------------------------------------------------------------------------
ECOS BB-5000 Firewall- und IT-Security Appliance: www.bb-5000.info
---------------------------------------------------------------------------


---------------------------------------------------------------------
To unsubscribe, e-mail: embperl-unsubscribe@perl.apache.org
For additional commands, e-mail: embperl-help@perl.apache.org


Mime
View raw message