Say for the sake of discussion that I wanted to provide a service for people to transform XML documents by uploading their own XSLT files to my server. How insecure is this?
I know XSLT can get you into infinite recursion, but some kind of time limit on the script along with appropriate error handling would probably be enough to make that not too much of an issue. Potentially worse are things like the document() function that can suck any XML document into the stylesheet -- a person could make the server repeatedly download huge XML files in an attempt to cripple the server. I would hope that any XSLT processor I used would allow me to disable the document() function.
Are there any other security considerations to worry about with allowing people to execute arbitrary XSLT on your server?
Saturday, July 10, 2004
Permalink
Feel free to post a comment below. Please see my comment policy.
Formatting Rules (No HTML):