[SANTUARIO-603] Configuration to disable XSL transformations in XML signature verifications - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Not A Problem
Affects Version/s: None
Fix Version/s: None
Component/s: Java
Labels:
None

Description

W3C's 'XML Signature Best Practices' discusses some risks of XSL transformations in XML signature verifications, and suggests that implementations "may provide interfaces to allow the application to optionally disable support for it". (https://www.w3.org/TR/xmldsig-bestpractices/#xslt-denial)

This functionality has caused security issues in the past, see for example this is a related CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-34169

Would you consider adding support to optionally disable XSL transformations in XML signature verifications? That would allow applications that don't use the feature to 'defend in depth' against mis-uses of the feature.

One potential approach would be to add a system property (for example `org.apache.xml.internal.security.transforms.implementations.TransformXSLT.enableXSLTInXMLSignatures`) that disables the functionality.

Attachments

Activity

People

Assignee:: Colm O hEigeartaigh

Reporter:: Liam Miller-Cushon

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 25/Jul/23 19:45

Updated:: 27/Jul/23 05:04

Resolved:: 27/Jul/23 05:04