[xmlsec] New xmlsec 1.2.17 release

Michael Stahl Michael.X.Stahl at Oracle.COM
Fri Apr 1 02:06:51 PDT 2011 

hi Aleksey,

On 01/04/2011 01:51, Aleksey Sanin wrote:
> The new XML Security Library 1.2.17 release available at
> the usual place:
> 
>     http://www.aleksey.com/xmlsec/download.html
> 
> This release includes a fix for an important security issue
> with XSLT transforms (CVE-2011-1425, reported by Nicolas Gregoire):
> 
> When using XML Security Library prior to 1.2.17, it is possible
> to create or overwrite arbitrary files during signature verification,
> if XSLT is present and enabled (which is the default mode). The attack
> uses the libxslt extension "output" or its aliases, inside a
> <ds:Transform> element.
> 
> It is strongly recommended to upgrade to the new version of XML
> Security Library as soon as possible. If the upgrade can not be
> performed, you can do one of the following:
> 
> - Explicitly call xsltNewSecurityPrefs() in your application and
>    forbid any access to file system as it is done in the following
>    commits:
> 
>  
> http://git.gnome.org/browse/xmlsec/commit/?id=2d5eddcc4163ea050cf3a3a1a25452bb5124f780
>     http://trac.webkit.org/changeset/79159

in the commit the problem is fixed by using xsltSetDefaultSecurityPrefs.
this sets the security prefs for the whole process (a global variable).

imho relying on global variables like this reduces the reusability of your
library.
can this problem be solved by using xsltSetCtxtSecurityPrefs instead?

there may be legitimate reasons why an application could need to use file
URLs in XSLT, especially if the XSLT will only be used with XML files
shipped together with the applications.

what happens if an application uses two libraries for unrelated purposes,
both of which use libxslt, one of which requires the ability to use file
URLs, the other forbidding the use of file URLs?

[btw, these globals are really flawed design in libxml/libxslt, and if you
search the libxml list archives you will find a rant from me on this very
topic...]

> - Recompile xmlsec library with disabled xslt support using
> 
>    ./configure --without-libxslt command

fortunately we do this, so we have no urgent need to upgrade :)

> - Disable XSLT transform if it is not used (see enabledUris field
>    in struct xmlSecTransformCtx)
> 
> 
> 
> Thanks to everyone for the contribution, patches and bug reports!
> 
> Aleksey Sanin

-- 
"I invented the term Object-Oriented, and I can tell you I did not
 have C++ in mind." -- Alan Kay

More information about the xmlsec mailing list