Malicious code injection opportunity

[crism]

When loading media resources from a remote service, the XSL transformation file is specified in the form submission parameters as a URI. The Scalar server fetches this resource from the specified URI and applies it; the form submission could easily be presented with a maliciously-crafted XSLT, and Scalar will naïvely execute it. The remote-resource processing XSLT should only be loaded from the local filesystem, installed with Scalar or with a trusted plugin.

[craigdietrich]

Yes, great catch! I've been meaning to validate the values against Scalar's list of archives (archives.rdf). Will add to the list.

[craigdietrich]

@crism Would you be able to put this on our repository as a pull request?

[craigdietrich]

Has this been included into anvc/scalar's repository?

[crism]

62 is still open, and the PR #66 is still open as well; accepting #66 will fix this (#64). I didn’t make a PR specifically to fix this one, but I could try and tease it apart if you want to fix this without accepting #66.