Re: Bug Severity Help
On Tue, Oct 07, 2014 at 11:40:53PM -0400, Bill Blough wrote:
> In my opinion, people *shouldn't* be running untrusted stylesheets any more
> than they should run untrusted shell scripts or other code. If we conveniently
> ignore that sometimes people do things that are unwise, then I would say the
> likelyhood is low.
In that case, it's a "normal" severity bug at most. Most of Turing-complete
languages allow OOMing, and if Xalan stylesheets can already run arbitrary
code, an attacker can do things a lot funnier than just OOM.
--
// If you believe in so-called "intellectual property", please immediately
// cease using counterfeit alphabets. Instead, contact the nearest temple
// of Amon, whose priests will provide you with scribal services for all
// your writing needs, for Reasonable and Non-Discriminatory prices.
Reply to: