perl-embperl mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gerald Richter" <>
Subject Re: Default xsltparam
Date Wed, 09 Jun 2004 11:24:28 GMT
Jochen Topf wrote:
> Hi!
> When using XSLT with Execute() like this:
> $ret = Execute({
>     inputfile      => 'foo.xml',
>     recipe         => 'EmbperlXSLT',
>     xsltstylesheet => 'foo.xsl',
> });
> without an 'xsltparam', the %fdat hash is used as default 'xsltparam'.
> I think this
> a) violates the principle of least surprise. It surprised me a lot and
>    spend half an hour to figure out what a strange LibXSLT error meant
>    that resulted from this. After I found it in the source code I also
>    found it in the documentation, but I still think its the wrong
>    thing to do because
> b) is a potential security risk. It means data that is supplied by the
>    client (and can be anything) is fed into the XSLT engine as
>    parameter without checking it first.

It is build in for convenience, but you are right the current implementation
is a security risk. The default behaviour should be to quote all values.
>From my point of view this should remove all security problem and doesn't
give a problem.

What do you think?


> In the best case (this is what happend to me) you have a URL like
> this:
> /foo.html?bar=x+y
> which gets translated to
> $fdat{'bar'} = 'x y'
> Now XSLT sees a parameter 'x y' (without the single quotes), which it
> can't parse and so it dies. This happens even if the XSLT stylesheet
> never actually defines any parameters of its own. I bet many Embperl
> webpages of many users can be broken just by adding spurious
> parameters to the URL.
> In a worse case the parameter could be carefully chosen to reveal data
> from an XML file that shouldn't be revealed.
> The workaround is easy, just supply an empty xsltparam. But I still
> think the default should be changed.
> Jochen

Gerald Richter            ecos electronic communication services gmbh
IT-Securitylösungen * Webapplikationen mit Apache/Perl/mod_perl/Embperl

Post:       Tulpenstrasse 5          D-55276 Dienheim b. Mainz
E-Mail:          Voice:   +49 6133 939-122
WWW:      Fax:     +49 6133 939-333
ECOS BB-5000 Firewall- und IT-Security Appliance:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message