Bug #52257 [Opn]: module php5-librdf causes libxslt's security module to fail

Fri, 06 Aug 2010 06:35:52 -0700 

Edit report at http://bugs.php.net/bug.php?id=52257&edit=1

 ID:                 52257
 Updated by:         lsm...@php.net
 Reported by:        matth at mlalonde dot net
 Summary:            module php5-librdf causes libxslt's security module
                     to fail
 Status:             Open
 Type:               Bug
 Package:            XSLT related
 Operating System:   Ubuntu LTS
 PHP Version:        5.3.2
 Block user comment: N

 New Comment:

to add some more context about the issue, i talked to the author of php
rdf ext 

on the #reland freenode IRC channel:



[15:23] <dajobe> lsmith: it's not the php module, it's raptor which
redland uses

[15:23] <dajobe> it sets the libxslt security policy

[15:24] <dajobe> http://librdf.org/raptor/api-1.4/raptor-section-

general.html#raptor-set-libxslt-security-preferences

[15:25] <dajobe> it's hard to do - how is raptor/redland suppose to know
when a 

calling application is also wanting to adjust parameters of a shared
library

[15:26] <dajobe> it's the calling app's responsibility - php in this
case


Previous Comments:
------------------------------------------------------------------------
[2010-07-30 10:55:44] penny at liip dot ch

I had exactly the same problem with the following versions:



libxslt1.1          1.1.24-2

php5                5.2.6.dfsg.1-1+lenny8

php5-librdf         1.0.7.1-1+b1



Purging php5-librdf fixed the problem.

------------------------------------------------------------------------
[2010-07-06 00:46:03] matth at mlalonde dot net

Description:
------------
I have been able to replicate under three environment running Ubuntu LTS
php5 (cli, cgi or mod_php), libxslt 1.1.26 and the php5 module and
librdf0 and the php5 module.



With the above setup, any <xsl:import href="local/file.xsl" /> call will
fail with the error



XSLTProcessor::importStylesheet(): Local file read for
/path/to/local/file.xsl refused



Using XSLCache will result in a segfault and no errors.



Removing php5's librdf module fixes the issue.

Test script:
---------------
# a.php 

<?php

ini_set('display_errors', 1);

ini_set('error_reporting', E_ALL|E_STRICT|E_NOTICE);



//phpinfo();



$doc = new DOMDocument();

$xsl = new XSLTProcessor();



$xsl_filename = __DIR__ . '/collection.xsl';

$xml_filename = __DIR__ . '/collection.xml';



$doc->load($xsl_filename);

$xsl->importStyleSheet($doc);



$doc->load($xml_filename);

echo $xsl->transformToXML($doc);



# collection.xml

<collection>

 <cd>

  <title>Fight for your mind</title>

  <artist>Ben Harper</artist>

  <year>1995</year>

 </cd>

 <cd>

  <title>Electric Ladyland</title>

  <artist>Jimi Hendrix</artist>

  <year>1997</year>

 </cd>

</collection>



# collection.xsl

<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform";>

 <xsl:import href="file:///var/www/pgadmin/temp/collection2.xsl" />

 <xsl:param name="owner" select="'Nicolas Eliaszewicz'"/>

 <xsl:output method="html" encoding="iso-8859-1" indent="no"/>

 <xsl:template match="collection">

  Hey! Welcome to <xsl:value-of select="$owner"/>'s sweet CD
collection!

  <xsl:apply-templates/>

 </xsl:template>

 <xsl:template match="cd">

  <h1><xsl:value-of select="title"/></h1>

  <h2>by <xsl:value-of select="artist"/> - <xsl:value-of
select="year"/></h2>

  <hr />

 </xsl:template>

</xsl:stylesheet>



# collection2.xsl

<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform";>

 <xsl:param name="owner" select="'Nicolas Eliaszewicz'"/>

 <xsl:output method="html" encoding="iso-8859-1" indent="no"/>

 <xsl:template match="collection">

  Hey! Welcome to <xsl:value-of select="$owner"/>'s sweet CD
collection!

  <xsl:apply-templates/>

 </xsl:template>

 <xsl:template match="cd">

  <h1><xsl:value-of select="title"/></h1>

  <h2>by00 <xsl:value-of select="artist"/> - <xsl:value-of
select="year"/></h2>

  <hr />

 </xsl:template>

</xsl:stylesheet>



Expected result:
----------------
A parsed XSLT document with the imported stylesheets. And no errors ;)

Actual result:
--------------
Warning: XSLTProcessor::importStylesheet(): error in /var/www/temp/a.php
on line 14



Call Stack:

    0.0002     627304   1. {main}() /var/www/temp/a.php:0

    0.0006     631128   2. XSLTProcessor->importStylesheet()
/var/www/temp/a.php:14





Warning: XSLTProcessor::importStylesheet(): Local file read for
file:///var/www/pgadmin/temp/collection2.xsl refused in
/var/www/temp/a.php on line 14



Call Stack:

    0.0002     627304   1. {main}() /var/www/temp/a.php:0

    0.0006     631128   2. XSLTProcessor->importStylesheet()
/var/www/temp/a.php:14




------------------------------------------------------------------------



-- 
Edit this bug report at http://bugs.php.net/bug.php?id=52257&edit=1

Reply via email to