summaryrefslogtreecommitdiff
path: root/external/xmlsec
diff options
context:
space:
mode:
authorMichael Stahl <michael.stahl@allotropia.de>2021-08-12 12:23:34 +0200
committerMichael Stahl <michael.stahl@allotropia.de>2021-08-13 11:20:23 +0200
commit27864eb5b085d4f7a881e24d1e4509f18c320849 (patch)
tree21259ff544f19467b134d09c5bf2ed38fef83068 /external/xmlsec
parentc7685f030fe39ff25c4ad30bc94e28ead7476934 (diff)
xmlsec: add XSLT safety warning label
Change-Id: I8d5ac40ec0c0b0a9fb3fb369578ff1f14b512254 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/120387 Reviewed-by: Michael Stahl <michael.stahl@allotropia.de> Tested-by: Jenkins
Diffstat (limited to 'external/xmlsec')
-rw-r--r--external/xmlsec/ExternalProject_xmlsec.mk7
1 files changed, 7 insertions, 0 deletions
diff --git a/external/xmlsec/ExternalProject_xmlsec.mk b/external/xmlsec/ExternalProject_xmlsec.mk
index 4fa4aea834b1..d1e2e5af2707 100644
--- a/external/xmlsec/ExternalProject_xmlsec.mk
+++ b/external/xmlsec/ExternalProject_xmlsec.mk
@@ -18,6 +18,13 @@ $(eval $(call gb_ExternalProject_register_targets,xmlsec,\
build \
))
+# note: it's possible to use XSLT in XML signatures - that appears to be a
+# really bad idea from a security point of view though, because it will run
+# an XSLT script supplied as untrusted input, and XSLT implementations
+# tend to have extension functions, and some of these trivially allow
+# running arbitrary code... so investigate the situation with libxslt
+# before enabling it here; hopefully nobody uses XSLT in practice anyway.
+
ifeq ($(OS),WNT)
$(eval $(call gb_ExternalProject_use_nmake,xmlsec,build))
generated by cgit (git 2.34.1) at 2025-01-10 15:51:24 +0000