Should setting configuration property http://saxon.sf.net/feature/allowedProtocols to e.g. `http,https` disable uri-collection('file:/?select=*.*')?

Should setting configuration property http://saxon.sf.net/feature/allowedProtocols to e.g. `http,https` disable uri-collection('file:/?select=.')?

Added by Martin Honnen almost 2 years ago

It seems that setting http://saxon.sf.net/feature/allowedProtocols to e.g. http,https in the intent to disallow access to the local file system prevents any direct access in the form of e.g. unparsed-text('file:/foo/bar/file.txt') but it looks as if (tested with Saxon HE 12 J and C) as if uri-collection('file:/?select=*.*') continues to work, meaning it returns the file URIs of found files.

Is that intended?

Is my only way to prevent the use of uri-collection('file:/?select=*') to sniff around what's on the local file system by using lower levels APIs like my own resolver?

Replies (1)

Should setting configuration property http://saxon.sf.net/feature/allowedProtocols to e.g. `http,https` disable uri-collection('file:/?select=.')? - Added by Norm Tovey-Walsh almost 2 years ago

Saxonica Developer Community notifications@plan.io writes:

HE 12 J and C) as if uri-collection('file:/?select=.') continues to work, meaning it
returns the file URIs of found files.

Indeed. At a quick glance, neither the uri-collection() nor collection()
functions seem to take the allowedProtocols into consideration. They
don’t go through the resolver (the resolver has no facility for
returning collections anyway).

Seems like a bug. Or at least, a missing feature.

Be seeing you,
norm

--
Norm Tovey-Walsh
Saxonica

(1-1/1)

Please register to reply

Project

Profile

Help

Saxon