From:
Operating system: Ubuntu 10.04
PHP version: 5.3.3
Package: XSLT related
Bug Type: Bug
Bug description:<xsl:include> and <xsl:import> are broken
Description:
------------
Somewhere between 5.3.0 and 5.3.2, the security model for XSL has been over
tightened. XSL stylesheets which refer to other stylesheet by <xsl:import>
or <xsl:include> now fail to work.
Test script:
---------------
<?php
// PHP 5.3.2 XSLT BUG - <xsl:import> (and <xsl:include>) are broken
$aDOM= new DOMDocument();
$aDOM->loadXML('<?xml version="1.0"?><etc/>');
$stylesheet= new DOMDocument();
$proc= new XSLTProcessor();
$stylesheet->loadXML('<?xml version="1.0"?><stylesheet version="1.0"
xmlns="http://www.w3.org/1999/XSL/Transform";><import
href="somesheet.xslt"/><template match="/"/></stylesheet>');
$proc->importStyleSheet($stylesheet);
$oops= $proc->transformToDoc($aDOM);
?>
Expected result:
----------------
Assuming there is a valid stylesheet at "somesheet.xslt", the transform
should work as per the W3C spec.
Am I missing something? Is there, for example, a way to set this security
default somewhere? Or a class method for XSLTProcessor to disable this?
Actual result:
--------------
Warning: XSLTProcessor::importStylesheet()
[xsltprocessor.importstylesheet]: error in
/home/robin/f2f/hardcode/xsl-import.php on line 10
Warning: XSLTProcessor::importStylesheet()
[xsltprocessor.importstylesheet]: Local file read for
/home/robin/f2f/hardcode/somesheet.xslt refused in
/home/robin/f2f/hardcode/xsl-import.php on line 10
Warning: XSLTProcessor::importStylesheet()
[xsltprocessor.importstylesheet]: error in
/home/robin/f2f/hardcode/xsl-import.php on line 10
Warning: XSLTProcessor::importStylesheet()
[xsltprocessor.importstylesheet]: xsl:import: read rights for
/home/robin/f2f/hardcode/somesheet.xslt denied in
/home/robin/f2f/hardcode/xsl-import.php on line 10
Warning: XSLTProcessor::transformToDoc() [xsltprocessor.transformtodoc]: No
stylesheet associated to this object in
/home/robin/f2f/hardcode/xsl-import.php on line 11
--
Edit bug report at http://bugs.php.net/bug.php?id=53063&edit=1
--
Try a snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=53063&r=trysnapshot52
Try a snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=53063&r=trysnapshot53
Try a snapshot (trunk):
http://bugs.php.net/fix.php?id=53063&r=trysnapshottrunk
Fixed in SVN:
http://bugs.php.net/fix.php?id=53063&r=fixed
Fixed in SVN and need be documented:
http://bugs.php.net/fix.php?id=53063&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=53063&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=53063&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=53063&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=53063&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=53063&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=53063&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=53063&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=53063&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=53063&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=53063&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=53063&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=53063&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=53063&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=53063&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=53063&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=53063&r=mysqlcfg
