- From: Conal Tuohy <conal.tuohy@gmail.com>
- Date: Wed, 3 Jun 2015 18:24:49 +1000
- To: XProc Dev <xproc-dev@w3.org>
- Message-ID: <CAErBQuQKG+-mdKXn=rNKA5D8qgu99y2rdacfjmeHg9KySQ0YBw@mail.gmail.com>
To answer my own question about a "safe mode" for running user-contributed XSLT, it seems that MorganaXProc has a more general security system that could be used: http://www.xml-project.com/documentation/morgana-userguide/morgana-security/#safety At first glance it looks like the Morgana "safe mode" applies too generally (in that it applies to an entire pipeline rather than just to a certain set of p:xslt steps), but in a web service environment, you could run a second instance of MorganaXProc, configured to be as safe as possible, and delegate any "safe mode" XSLT transformations to that service. On 2 June 2015 at 17:19, Conal Tuohy <conal.tuohy@gmail.com> wrote: > I have been writing some web applications in XProc, using Calabash, and > I've struck the issue that user-supplied (uploaded) XSLT transforms can > present a security risk. Since XSLT is Turing complete it can provide a > powerful extension mechanism for an XML-processing app, but you need to > tightly control access to the web app itself unless you can run such XSLT > in a sandbox. > > I had a vague but false memory that the p:xslt step had an option to > enforce a kind of "safe mode". Alas it looks like wishful thinking. > > It seems to me that to perform secure XSLT processing one would need to be > able to supply a URI resolver to prevent access to the local file system, > and to disable any XSLT extension functions that might pose a risk, and > perhaps even to enforce a timeout on XSLT execution. > > Has anyone implemented anything like this, either in Calabash or some > other processor? > > > Conal >
Received on Wednesday, 3 June 2015 08:25:38 UTC