At 2010-05-21 12:21 -0400, Costello, Roger L. wrote:
Imagine an XSLT program that uses <xsl:include> to gain access to an
XSLT document from an external location (say, a W3C XSLT document).
It wouldn't be difficult for an evil person to intercept the ensuing
message exchange and return an XSLT document designed to disrupt the
proper functioning of the original XSLT program, perhaps even
resulting in a denial of service.
One approach to prevent this would be to digitally sign the included
XSLT document. Of course, it would be horrific if the XSLT
programmer had to write code to check the digital signature of every
XSLT document he includes/imports.
I envision XSLT processors automatically checking the digital
signatures and triggering an error to the XSLT programs if the
digital signatures fail. Thus, the checking is transparent to the
XSLT programmer.
Are there any plans to provide this functionality in XSLT 2.1?
What other approaches are there for ensuring the safe include/import
of XSLT documents at external locations?
This can be done outside of the specification. The stylesheets I
ship for free for printing XML instances of UBL to PDF are digitally signed:
http://www.CraneSoftwrights.com/resources/ublss
The stylesheets are free to use by anyone with an existing XSL-FO
processor without any need for worrying about the signatures.
If someone doesn't have such a processor and wants to use the
commercial Ibex XSL-FO processor at no charge, I've provided a
digitally signed manifest of my stylesheets so that the processor
only runs with these stylesheets and no other (otherwise I wouldn't
be able to give out the commercial tool for free). The XSL-FO
processor does not invoke the embedded XSLT processor unless all
imported and included XSLT fragments listed in the manifest have
their respective hashes match. If anyone changes even a single byte
of the stylesheets, they can still use their own XSL-FO processor,
but the free copy of the commercial XSL-FO processor will reject the
stylesheet that has changes. And it will reject any stylesheet that
does not have a digitally-signed manifest. So the vendor is
protected, but I can still allow free downloads of my stylesheets for
people to run with commercial software.
So, you can take this approach in your environment, and do it outside
of the XSLT processor: create a digital signature of a trusted copy
of all of the fragments you need, and then check them before you use
them. I suppose you could even do this in the URI resolver finding
the fragments.
I hope this helps.
. . . . . . . . . . . . Ken
--
XSLT/XQuery training: after http://XMLPrague.cz 2011-03-28/04-01
Vote for your XML training: http://www.CraneSoftwrights.com/s/i/
Crane Softwrights Ltd. http://www.CraneSoftwrights.com/s/
G. Ken Holman mailto:gkholman(_at_)CraneSoftwrights(_dot_)com
Male Cancer Awareness Nov'07 http://www.CraneSoftwrights.com/s/bc
Legal business disclaimers: http://www.CraneSoftwrights.com/legal
--~------------------------------------------------------------------
XSL-List info and archive: http://www.mulberrytech.com/xsl/xsl-list
To unsubscribe, go to: http://lists.mulberrytech.com/xsl-list/
or e-mail: <mailto:xsl-list-unsubscribe(_at_)lists(_dot_)mulberrytech(_dot_)com>
--~--