Discussion:
[jira] [Created] (XALANJ-2591) Transform XSLT using Xalan into XHTML fails with secure processing feature when using attributes
Victor Kazakov (JIRA)
2014-08-18 23:01:20 UTC
Permalink
Victor Kazakov created XALANJ-2591:
--------------------------------------

Summary: Transform XSLT using Xalan into XHTML fails with secure processing feature when using attributes
Key: XALANJ-2591
URL: https://issues.apache.org/jira/browse/XALANJ-2591
Project: XalanJ2
Issue Type: Bug
Security Level: No security risk; visible to anyone (Ordinary problems in Xalan projects. Anybody can view the issue.)
Components: transformation, Xalan
Affects Versions: 2.7.2
Reporter: Victor Kazakov
Assignee: Steven J. Hathaway


I'm trying to use the updated version of Xalan (2.7.2) in secure mode and having issue with it not able to understand unknown attributes. The problem is, it prevents you from using any stylesheet that emits XHTML (in secure processing mode) because it disallows things like “colspan” attributes of “th” elements.

The associated changed file is here: http://svn.apache.org/viewvc/xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xalan/processor/XSLTElementProcessor.java?r1=1359736&r2=1581058&pathrev=1581058&diff_format=h

See the following example:
{code:java}
import javax.xml.XMLConstants;
import javax.xml.transform.*;
import javax.xml.transform.stream.StreamSource;
import java.io.StringReader;

public class XalanSecureAttributeRepro {
private static final String XSL =
"<xsl:stylesheet version=\"1.0\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\">\n" +
" <xsl:output method=\"html\"/>\n" +
" <xsl:template match=\"/*\">\n" +
" <th colspan=\"2\"/>\n" +
" </xsl:template>\n" +
"</xsl:stylesheet>";

public static void main( String[] args ) throws Exception {
System.setProperty( "javax.xml.transform.TransformerFactory", "org.apache.xalan.processor.TransformerFactoryImpl" );

TransformerFactory tf = TransformerFactory.newInstance();
tf.setFeature( XMLConstants.FEATURE_SECURE_PROCESSING, true);
tf.setErrorListener( new DefaultErrorHandler( true ) );

final Source source = new StreamSource( new StringReader( XSL ) );
Templates templates = tf.newTemplates( source ); // throws:
// TransformerException: "colspan" attribute is not allowed on the th element!
}
}
{code}
It returns this error:
{code}
Exception in thread "main" javax.xml.transform.TransformerConfigurationException: javax.xml.transform.TransformerException: org.xml.sax.SAXException: "colspan" attribute is not allowed on the th element!
javax.xml.transform.TransformerException: "colspan" attribute is not allowed on the th element!
at org.apache.xalan.processor.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:933)
at com.l7tech.example.XalanSecureAttributeRepro.main(XalanSecureAttributeRepro.java:27)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:134)
Caused by: javax.xml.transform.TransformerException: org.xml.sax.SAXException: "colspan" attribute is not allowed on the th element!
javax.xml.transform.TransformerException: "colspan" attribute is not allowed on the th element!
at org.apache.xalan.processor.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:925)
... 6 more
Caused by: org.xml.sax.SAXException: "colspan" attribute is not allowed on the th element!
javax.xml.transform.TransformerException: "colspan" attribute is not allowed on the th element!
at org.apache.xalan.processor.StylesheetHandler.error(StylesheetHandler.java:919)
at org.apache.xalan.processor.StylesheetHandler.error(StylesheetHandler.java:947)
at org.apache.xalan.processor.XSLTElementProcessor.setPropertiesFromAttributes(XSLTElementProcessor.java:347)
at org.apache.xalan.processor.XSLTElementProcessor.setPropertiesFromAttributes(XSLTElementProcessor.java:267)
at org.apache.xalan.processor.ProcessorLRE.startElement(ProcessorLRE.java:283)
at org.apache.xalan.processor.StylesheetHandler.startElement(StylesheetHandler.java:623)
at org.apache.xerces.parsers.AbstractSAXParser.startElement(Unknown Source)
at org.apache.xerces.parsers.AbstractXMLDocumentParser.emptyElement(Unknown Source)
at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanStartElement(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
at org.apache.xalan.processor.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:917)
... 6 more
Caused by: javax.xml.transform.TransformerException: "colspan" attribute is not allowed on the th element!
at org.apache.xalan.processor.StylesheetHandler.error(StylesheetHandler.java:904)
... 22 more
{code}

This worked properly in 2.7.1
Am I missing setting a feature on the transformer factory. How would you transform a stylesheet that emits (X)HTML in secure processing mode using Xalan?



--
This message was sent by Atlassian JIRA
(v6.2#6252)
Mike Lyons (JIRA)
2014-08-21 01:40:39 UTC
Permalink
[ https://issues.apache.org/jira/browse/XALANJ-2591?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Mike Lyons updated XALANJ-2591:
-------------------------------

Attachment: XSLTElementProcessor.patch

Attached is a possible patch that changes this behavior.

It is being contributed as a "small bugfix" per section 7.4 of the Xalan-J charter. The patch was created by me. My employer, CA Technologies, has approved contribution of this patch to the Xalan-J project. I'm not aware of any third-party licenses or other restrictions that could apply to this patch.


This patch changes XSLTElementProcessor to:

* Permit namespace declaration attributes in secure processing mode
* Permit foreign attributes in secure processing mode if not from a list of special namespaces
* Permit secure processing foreign attribute restrictions to be disabled completely with a system property

The patch is likely not ideal for Xalan-J in its raw form.


h4. Permit namespace declaration attributes in secure processing mode

Namespace declarations bypass foreign attribute restrictions.

Foreign attributes will be allowed if they are global attributes in one of the following namespace URIs:
http://www.w3.org/XML/1998/namespace
http://www.w3.org/2000/xmlns/

A preexisting hack (commented as "for Crimson. -sb") sets the first of these namespaces if the attribute qname is "xmlns" or starts with "xmlns:".

The intent of this change is to allow stylesheets input via DOMSource to function. Without it (or some other fix), namespace declarations hit the attribute processor and fail the foreign attributes check. (A work-around for this issue is to use a StreamSource instead.)


h4. Permit foreign attributes in secure processing mode if not from a list of special namespaces

Element literal results will bypass the foreign attribute check if they avoid possibly-problematic namespaces.

Foreign attributes will be permitted in secure processing mode as long as the attribute is not a global attribute in one of the following namespace URIs:

* http://xml.apache.org/xalan
* http://xml.apache.org/xslt
* http://icl.com/saxon
* http://www.w3.org/1999/XSL/Transform

and the element containing the attribute is an element literal result and is not in one of the above namespaces.

The intent of this change is to allow attributes to be emitted by stylesheets in secure mode. Without it (or some other fix), it would (apparently) not be possible to (for example) have a stylesheet that emits an XHTML output result (because Xalan would have rejected any attributes on any XHTML elements).


h4. Permit secure processing foreign attribute restrictions to be disabled completely with a system property

The system property "com.l7tech.org.apache.xalan.processor.allowAttributesInSecureMode" can be set to "true" to disable the foreign attribute restrictions in secure mode that were added in Xalan 2.7.2.

Enabling this may permit insecure use of the content-handler and entities attributes and should be avoided except as a last resort on systems that do not need to execute stylesheets from untrusted sources.

The intent of this change is to have a last-ditch fallback resort for existing systems that use secure mode and can't be made to work with the default behavior.

Possibly this part of the patch should not be included in Xalan-J. If it is, the system property should probably be renamed.
Post by Victor Kazakov (JIRA)
Transform XSLT using Xalan into XHTML fails with secure processing feature when using attributes
------------------------------------------------------------------------------------------------
Key: XALANJ-2591
URL: https://issues.apache.org/jira/browse/XALANJ-2591
Project: XalanJ2
Issue Type: Bug
Security Level: No security risk; visible to anyone(Ordinary problems in Xalan projects. Anybody can view the issue.)
Components: transformation, Xalan
Affects Versions: 2.7.2
Reporter: Victor Kazakov
Assignee: Steven J. Hathaway
Attachments: XSLTElementProcessor.patch
I'm trying to use the updated version of Xalan (2.7.2) in secure mode and having issue with it not able to understand unknown attributes. The problem is, it prevents you from using any stylesheet that emits XHTML (in secure processing mode) because it disallows things like “colspan” attributes of “th” elements.
The associated changed file is here: http://svn.apache.org/viewvc/xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xalan/processor/XSLTElementProcessor.java?r1=1359736&r2=1581058&pathrev=1581058&diff_format=h
{code:java}
import javax.xml.XMLConstants;
import javax.xml.transform.*;
import javax.xml.transform.stream.StreamSource;
import java.io.StringReader;
public class XalanSecureAttributeRepro {
private static final String XSL =
"<xsl:stylesheet version=\"1.0\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\">\n" +
" <xsl:output method=\"html\"/>\n" +
" <xsl:template match=\"/*\">\n" +
" <th colspan=\"2\"/>\n" +
" </xsl:template>\n" +
"</xsl:stylesheet>";
public static void main( String[] args ) throws Exception {
System.setProperty( "javax.xml.transform.TransformerFactory", "org.apache.xalan.processor.TransformerFactoryImpl" );
TransformerFactory tf = TransformerFactory.newInstance();
tf.setFeature( XMLConstants.FEATURE_SECURE_PROCESSING, true);
tf.setErrorListener( new DefaultErrorHandler( true ) );
final Source source = new StreamSource( new StringReader( XSL ) );
// TransformerException: "colspan" attribute is not allowed on the th element!
}
}
{code}
{code}
Exception in thread "main" javax.xml.transform.TransformerConfigurationException: javax.xml.transform.TransformerException: org.xml.sax.SAXException: "colspan" attribute is not allowed on the th element!
javax.xml.transform.TransformerException: "colspan" attribute is not allowed on the th element!
at org.apache.xalan.processor.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:933)
at com.l7tech.example.XalanSecureAttributeRepro.main(XalanSecureAttributeRepro.java:27)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:134)
Caused by: javax.xml.transform.TransformerException: org.xml.sax.SAXException: "colspan" attribute is not allowed on the th element!
javax.xml.transform.TransformerException: "colspan" attribute is not allowed on the th element!
at org.apache.xalan.processor.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:925)
... 6 more
Caused by: org.xml.sax.SAXException: "colspan" attribute is not allowed on the th element!
javax.xml.transform.TransformerException: "colspan" attribute is not allowed on the th element!
at org.apache.xalan.processor.StylesheetHandler.error(StylesheetHandler.java:919)
at org.apache.xalan.processor.StylesheetHandler.error(StylesheetHandler.java:947)
at org.apache.xalan.processor.XSLTElementProcessor.setPropertiesFromAttributes(XSLTElementProcessor.java:347)
at org.apache.xalan.processor.XSLTElementProcessor.setPropertiesFromAttributes(XSLTElementProcessor.java:267)
at org.apache.xalan.processor.ProcessorLRE.startElement(ProcessorLRE.java:283)
at org.apache.xalan.processor.StylesheetHandler.startElement(StylesheetHandler.java:623)
at org.apache.xerces.parsers.AbstractSAXParser.startElement(Unknown Source)
at org.apache.xerces.parsers.AbstractXMLDocumentParser.emptyElement(Unknown Source)
at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanStartElement(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
at org.apache.xalan.processor.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:917)
... 6 more
Caused by: javax.xml.transform.TransformerException: "colspan" attribute is not allowed on the th element!
at org.apache.xalan.processor.StylesheetHandler.error(StylesheetHandler.java:904)
... 22 more
{code}
This worked properly in 2.7.1
Am I missing setting a feature on the transformer factory. How would you transform a stylesheet that emits (X)HTML in secure processing mode using Xalan?
--
This message was sent by Atlassian JIRA
(v6.2#6252)
Tadayoshi Sato (JIRA)
2016-02-12 08:44:18 UTC
Permalink
[ https://issues.apache.org/jira/browse/XALANJ-2591?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Tadayoshi Sato updated XALANJ-2591:
-----------------------------------
Attachment: xalan-test.zip

Another reproducer {{xalan-test.zip}} attached. Run the following commands:
{code}
$ cd xalan-test/
$ mvn clean test
{code}
and you'll see the test fails.
Post by Victor Kazakov (JIRA)
Transform XSLT using Xalan into XHTML fails with secure processing feature when using attributes
------------------------------------------------------------------------------------------------
Key: XALANJ-2591
URL: https://issues.apache.org/jira/browse/XALANJ-2591
Project: XalanJ2
Issue Type: Bug
Security Level: No security risk; visible to anyone(Ordinary problems in Xalan projects. Anybody can view the issue.)
Components: transformation, Xalan
Affects Versions: 2.7.2
Reporter: Victor Kazakov
Assignee: Steven J. Hathaway
Attachments: XSLTElementProcessor.patch, xalan-test.zip
I'm trying to use the updated version of Xalan (2.7.2) in secure mode and having issue with it not able to understand unknown attributes. The problem is, it prevents you from using any stylesheet that emits XHTML (in secure processing mode) because it disallows things like “colspan” attributes of “th” elements.
The associated changed file is here: http://svn.apache.org/viewvc/xalan/java/branches/xalan-j_2_7_1_maint/src/org/apache/xalan/processor/XSLTElementProcessor.java?r1=1359736&r2=1581058&pathrev=1581058&diff_format=h
{code:java}
import javax.xml.XMLConstants;
import javax.xml.transform.*;
import javax.xml.transform.stream.StreamSource;
import java.io.StringReader;
public class XalanSecureAttributeRepro {
private static final String XSL =
"<xsl:stylesheet version=\"1.0\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\">\n" +
" <xsl:output method=\"html\"/>\n" +
" <xsl:template match=\"/*\">\n" +
" <th colspan=\"2\"/>\n" +
" </xsl:template>\n" +
"</xsl:stylesheet>";
public static void main( String[] args ) throws Exception {
System.setProperty( "javax.xml.transform.TransformerFactory", "org.apache.xalan.processor.TransformerFactoryImpl" );
TransformerFactory tf = TransformerFactory.newInstance();
tf.setFeature( XMLConstants.FEATURE_SECURE_PROCESSING, true);
tf.setErrorListener( new DefaultErrorHandler( true ) );
final Source source = new StreamSource( new StringReader( XSL ) );
// TransformerException: "colspan" attribute is not allowed on the th element!
}
}
{code}
{code}
Exception in thread "main" javax.xml.transform.TransformerConfigurationException: javax.xml.transform.TransformerException: org.xml.sax.SAXException: "colspan" attribute is not allowed on the th element!
javax.xml.transform.TransformerException: "colspan" attribute is not allowed on the th element!
at org.apache.xalan.processor.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:933)
at com.l7tech.example.XalanSecureAttributeRepro.main(XalanSecureAttributeRepro.java:27)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:134)
Caused by: javax.xml.transform.TransformerException: org.xml.sax.SAXException: "colspan" attribute is not allowed on the th element!
javax.xml.transform.TransformerException: "colspan" attribute is not allowed on the th element!
at org.apache.xalan.processor.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:925)
... 6 more
Caused by: org.xml.sax.SAXException: "colspan" attribute is not allowed on the th element!
javax.xml.transform.TransformerException: "colspan" attribute is not allowed on the th element!
at org.apache.xalan.processor.StylesheetHandler.error(StylesheetHandler.java:919)
at org.apache.xalan.processor.StylesheetHandler.error(StylesheetHandler.java:947)
at org.apache.xalan.processor.XSLTElementProcessor.setPropertiesFromAttributes(XSLTElementProcessor.java:347)
at org.apache.xalan.processor.XSLTElementProcessor.setPropertiesFromAttributes(XSLTElementProcessor.java:267)
at org.apache.xalan.processor.ProcessorLRE.startElement(ProcessorLRE.java:283)
at org.apache.xalan.processor.StylesheetHandler.startElement(StylesheetHandler.java:623)
at org.apache.xerces.parsers.AbstractSAXParser.startElement(Unknown Source)
at org.apache.xerces.parsers.AbstractXMLDocumentParser.emptyElement(Unknown Source)
at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanStartElement(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
at org.apache.xalan.processor.TransformerFactoryImpl.newTemplates(TransformerFactoryImpl.java:917)
... 6 more
Caused by: javax.xml.transform.TransformerException: "colspan" attribute is not allowed on the th element!
at org.apache.xalan.processor.StylesheetHandler.error(StylesheetHandler.java:904)
... 22 more
{code}
This worked properly in 2.7.1
Am I missing setting a feature on the transformer factory. How would you transform a stylesheet that emits (X)HTML in secure processing mode using Xalan?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-***@xalan.apache.org
For additional commands, e-mail: dev-***@xalan.apache.org

Loading...