XalanJ2
  1. XalanJ2
  2. XALANJ-2136

JAXP 1.3: support the secure processing feature

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.7.1
    • Fix Version/s: 2.7
    • Component/s: JAXP
    • Labels:
      None
    • Xalan info:
      PatchAvailable

      Description

      In JAXP 1.3, the TransformerFactory.setFeature() method must support the secure processing feature. The following paragraph is taken from the javadocs of the TransformerFactory.setFeature() method:

      All implementations are required to support the XMLConstants.FEATURE_SECURE_PROCESSING feature. When the feature is:

      – true: the implementation will limit XML processing to conform to implementation limits and behave in a secure fashion as defined by the implementation. Examples include resolving user defined style sheets and functions. If XML processing is limited for security reasons, it will be reported via a call to the registered ErrorListener.fatalError(TransformerException exception). See setErrorListener(ErrorListener listener).
      – false: the implementation will processing XML according to the XML specifications without regard to possible implementation limits.

      Sun's contributed JAXP 1.3 implementation only exposes the feature. But it does not use the feature to limit the XML processing behavior. The proposed patch will implement the following restrictions when the secure processing feature is set to true:

      1. use of extension elements and extension functions are disabled
      2. the secure processing feature is also passed to all parsers created by the XSLT processor.

        Activity

        Hide
        Morris Kwan added a comment -

        The file secure_processing_feature_xalan.patch is a patch for Xalan interpretive to support the secure processing feature. A new option -secure is added to the Process command line to trigger the secure processing feature.

        Show
        Morris Kwan added a comment - The file secure_processing_feature_xalan.patch is a patch for Xalan interpretive to support the secure processing feature. A new option -secure is added to the Process command line to trigger the secure processing feature.
        Hide
        Morris Kwan added a comment -

        The file secure_processing_feature_xsltc.patch is a patch for XSLTC to support the secure processing feature.

        Show
        Morris Kwan added a comment - The file secure_processing_feature_xsltc.patch is a patch for XSLTC to support the secure processing feature.
        Hide
        Ilene Seelemann added a comment -

        I have reviewed this patch and I approve it.

        Show
        Ilene Seelemann added a comment - I have reviewed this patch and I approve it.

          People

          • Assignee:
            Morris Kwan
            Reporter:
            Morris Kwan
            Reviewer:
            Ilene Seelemann
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development