details: http://freenginx.org/hg/nginx/rev/6c1b100b965a branches: changeset: 9433:6c1b100b965a user: Maxim Dounin <[email protected]> date: Fri Oct 31 08:08:06 2025 +0300 description: Xslt: fixed xml_entities to be resolved from prefix.
Previously, relative values of xml_entities set in the configuration were not processed with ngx_conf_full_name() and therefore resolved from the process current working directory, leading to changes in behaviour depending on the current directory during startup. This also differs from the expected behaviour of configuration directives, where relative paths are expected to be resolved either from prefix or from configuration prefix. Fix is to use ngx_conf_full_name() to resolve xml_entities from prefix. Note that xml_entities is handled by libxml2 xmlParseDTD() and therefore might be used with URIs, such as "http://example.com/entities.dtd"; or "file:///path/to/entities.dtd". This possibility was never documented though, and highly questionable, especially nowadays (in particular, due to no HTTPS support). Further, support for HTTP URIs was disabled by default in libxml2 2.13.0 and completely removed in libxml2 2.15.0. As such, URIs are not specially handled and therefore effectively disabled by this change. diffstat: src/http/modules/ngx_http_xslt_filter_module.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diffs (14 lines): diff --git a/src/http/modules/ngx_http_xslt_filter_module.c b/src/http/modules/ngx_http_xslt_filter_module.c --- a/src/http/modules/ngx_http_xslt_filter_module.c +++ b/src/http/modules/ngx_http_xslt_filter_module.c @@ -834,6 +834,10 @@ ngx_http_xslt_entities(ngx_conf_t *cf, n value = cf->args->elts; + if (ngx_conf_full_name(cf->cycle, &value[1], 0) != NGX_OK) { + return NGX_CONF_ERROR; + } + xmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_xslt_filter_module); file = xmcf->dtd_files.elts;
