Bug #3807
closedFeatureKeys.ALLOW_EXTERNAL_FUNCTIONS=false does not block external function calls anymore?
100%
Description
Hello,
I'm currently in the process of updating an application that was previously running with Saxon PE 9.6.0.6 to 9.8. Everything is fine, but one security related test is failing which is testing the execution of an external function using EXPaths @file:base-dir()@.
The test case in fact is expected to fail, because FeatureKeys.ALLOW_EXTERNAL_FUNCTIONS
is set to false
in this particular case. To my surpise however, this code is now executing flawlessly with 9.8.
I have reproduced the same behaviour using the command line. Please find the attached example and screenshots.
Is this supposed to be working now and I just need to unregister these functions manually?
Thanks in advance for clearing this up!
Files
Updated by Michael Kay over 6 years ago
ALLOW_EXTERNAL_FUNCTIONS=false has always blocked functions implemented as extension functions, and has never blocked functions implemented as system functions. What has changed is the implementation of file:base-dir, moving it from one category to the other.
In fact all the EXPathFile functions other than file:base-dir are implemented as reflexive extension functions and so should be disabled with this configuration setting. The file:base-dir() function is the only exception: this is implemented as a system function to allow compile-time pre-evaluation.
In 9.6, file:base-dir was implemented as an integrated extension function because this was the only way of providing access to the static context. In 9.8 it moved to being a System function, along with a few other cases where we were implementing built in functions using the extension function mechanism. I think that at the same time, almost as a side effect, it changed so that it would be evaluated statically. However, it's not clear that this is a good thing, since with XSLT compiled packages, it should really return the deployment location rather than the compile time code location. The static-base-uri() function has changed so that static evaluation doesn't occur if the package is marked as relocatable; this function should really do the same.
Incidentally, we don't provide any way of disabling the system function static-base-uri(), which provides much the same information. In both cases, however, you can disguise the static base URI by setting it explicitly when you compile the stylesheet or query.
Updated by Michael Kay over 6 years ago
- Category set to Saxon extensions
- Status changed from New to Resolved
- Assignee set to Michael Kay
- Applies to branch trunk added
- Fix Committed on Branch 9.8, trunk added
I have changed ProfessionalConfiguration and EnterpriseConfiguration so that the (single-function) EXPathFileFunctionSet is only added to the library list if ALLOW_EXTERNAL_FUNCTIONS is set.
I have also changed file:base-dir() so that it is not evaluated at compile time if the package is marked as relocatable. This brings it into line with the static-base-uri() function.
Updated by Debbie Lockett over 6 years ago
- Status changed from Resolved to Closed
- % Done changed from 0 to 100
- Fixed in Maintenance Release 9.8.0.14 added
Bug fix applied in the Saxon 9.8.0.14 maintenance release.
Please register to edit this issue