tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Preißer <kpreis...@apache.org>
Subject RE: svn commit: r1528631 - /tomcat/trunk/webapps/docs/tomcat-docs.xsl
Date Thu, 03 Oct 2013 13:16:45 GMT
Hi Konstantin,

> -----Original Message-----
> From: Konstantin Kolinko [mailto:knst.kolinko@gmail.com]
> Sent: Thursday, October 3, 2013 1:36 PM


> The file mentioned in external entity declaration is loaded (via
> entity resolver) and its text is inserted as is in the specified
> place,
> 
> 
> My impression from the last time that I checked this feature, two or
> more years ago, is that it is security limitation in those particular
> browsers.
> 
> (Especially in IE.  I think that older Firefox versions did process
> the entity and did show the menu, but I do not see this behaviour with
> the current version. Currently both IE 10 and Firefox 24 behave the
> same for Tomcat 7 docs).
> 
> There were security issues in processing of external entities in XML
> in old versions of IE. If I remember correctly, it allowed to read
> some arbitrary files.
> 
> (I thought that it was an old story, but quick search finds recent
> issues, announced in September 2013,
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3159
> http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3160

Thank you for the explanation. It makes sense that this is disabled because of security concerns.
E.g. I was able to make IE8 reading an arbitrary local file and report the contents with JavaScript,
when opening a local .xml file (but not when opening a http://... URL).


> It is nice that you found the $project as the way to implement this.
> Though I do no see any use of the menu except showing the actual
> layout of the page. The menu itself is useless, as
> 
> a) it has links to *.html documents, not *.xml ones.
> b) none other xml documents have stylesheet directive
> 
> 
> I do not care much of the menus. I do care that the file is readable
> when I browse the changelog locally (via file:// protocol) as a
> preview before committing a change. Your $project recipe does work
> here and it is good.
> 
> By the way, just for information, a similar security issue:
> I once tried to apply the same XSLT trick in Tomcat Native
> miscelaneous/changelog.xml as
> <?xml-stylesheet type="text/xsl" href="../style.xsl"?>
> 
> That It did not work when browsing locally.  The problem is that
> browsers refuse to load stylesheet from parent directory
> ("../style.xsl") because of security concerns.
> 
> Best regards,
> Konstantin Kolinko
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org


Regards,
Konstantin Preißer


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message