This is the mail archive of the
xsl-list@mulberrytech.com
mailing list .
RE: The evaluate function
- From: "Matt G." <matt_g_ at hotmail dot com>
- To: xsl-list at lists dot mulberrytech dot com
- Date: Fri, 04 Jan 2002 01:43:20
- Subject: RE: [xsl] The evaluate function
- Reply-to: xsl-list at lists dot mulberrytech dot com
>Apart from all the issues mentioned by Mr.Kay, an eval()
>function makes it rather easy to open security holes in
>a style sheet.
Indeed, you have cited some serious problems. However, I disagree with you
on their exact nature and origin.
>For example, once you figured out you can put a XPath into
>the nice "Enter your query here" field which is passed
>directly to an eval() function, what will stop you from
>entering document("file:///C/Documents and
> >Settings/Administrator/preferences.xml")?
Why would someone allow users to pass input directly to an XPath evaluate
function? This seems to me like a bad idea. Furthermore, proper use of
permissions should prevent access to system configuration files.
>Or, if extension functions may be called indiscriminately:
> mswin:delete("C:\*.*","recursive")
What is such an extension function even doing in an XSLT processor!?
Furthermore, it seems similarly absurd for an admin not to configure the
system's permissions to preclude such things.
I don't think it makes sense to handicap a standard, based on
vulnerabilities introduced by nonstandard extensions used on poorly
administrated systems.
Matthew Gruenke
_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx
XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list