W3C home > Mailing lists > Public > public-qt-comments@w3.org > August 2004

[XSLT2.0] xma vs. xml: "The ability to execute extension functions represents a potential security weakness"

From: Ted Shaneyfelt <tvs@hawaii.edu>
Date: Fri, 13 Aug 2004 13:47:50 -1000
To: public-qt-comments@w3.org
Message-id: <005001c4818f$f547b400$6401a8c0@maunakea>

I know it's late, but concerning section 18.1.2 Calling Extension Func...

The ability to execute extension functions represents a potential security

This is likely to quietly open countless security breaches where
webmasters in the past have trusted xslt to be uploaded and to execute
on their machines because of it's safe nature.  By simply upgrading an
operating system or other component, the system will quietly become
vulnerable to simple attacks.

The mistake of treating documents as programs that can perform
arbitrary operations is what caused countless breaches in security
when Microsoft allowed macros to be hidden in documents.  They
should have forseen it.  We should have learned. An application
that can cause changes to the system should always be clearly
identified as such, not as innocent data.

When an XML document invokes an XSLT through a PI,
it should never have side-effects.

To overcome the limitations, acompletely separate mime-type
and filename extension should identify xml documents that
can invoke XSLT with the ability to have side-effects.

I propose the name "Extensible Markup Application", which
everyone should treat like a program, not like data.

  content-type: application/xma
  filename-extension: .xma

Then xml documents would continue to be trustworthy.

Everyone should be able to trust XML files enough to
not hesitate to click on them.

Thank you for your consideration,

Ted Shaneyfelt
University of Hawaii
Received on Friday, 13 August 2004 23:46:42 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:45:20 UTC