From: Operating system: Ubuntu 10.04 PHP version: 5.3.3 Package: XSLT related Bug Type: Bug Bug description:<xsl:include> and <xsl:import> are broken
Description: ------------ Somewhere between 5.3.0 and 5.3.2, the security model for XSL has been over tightened. XSL stylesheets which refer to other stylesheet by <xsl:import> or <xsl:include> now fail to work. Test script: --------------- <?php // PHP 5.3.2 XSLT BUG - <xsl:import> (and <xsl:include>) are broken $aDOM= new DOMDocument(); $aDOM->loadXML('<?xml version="1.0"?><etc/>'); $stylesheet= new DOMDocument(); $proc= new XSLTProcessor(); $stylesheet->loadXML('<?xml version="1.0"?><stylesheet version="1.0" xmlns="http://www.w3.org/1999/XSL/Transform"><import href="somesheet.xslt"/><template match="/"/></stylesheet>'); $proc->importStyleSheet($stylesheet); $oops= $proc->transformToDoc($aDOM); ?> Expected result: ---------------- Assuming there is a valid stylesheet at "somesheet.xslt", the transform should work as per the W3C spec. Am I missing something? Is there, for example, a way to set this security default somewhere? Or a class method for XSLTProcessor to disable this? Actual result: -------------- Warning: XSLTProcessor::importStylesheet() [xsltprocessor.importstylesheet]: error in /home/robin/f2f/hardcode/xsl-import.php on line 10 Warning: XSLTProcessor::importStylesheet() [xsltprocessor.importstylesheet]: Local file read for /home/robin/f2f/hardcode/somesheet.xslt refused in /home/robin/f2f/hardcode/xsl-import.php on line 10 Warning: XSLTProcessor::importStylesheet() [xsltprocessor.importstylesheet]: error in /home/robin/f2f/hardcode/xsl-import.php on line 10 Warning: XSLTProcessor::importStylesheet() [xsltprocessor.importstylesheet]: xsl:import: read rights for /home/robin/f2f/hardcode/somesheet.xslt denied in /home/robin/f2f/hardcode/xsl-import.php on line 10 Warning: XSLTProcessor::transformToDoc() [xsltprocessor.transformtodoc]: No stylesheet associated to this object in /home/robin/f2f/hardcode/xsl-import.php on line 11 -- Edit bug report at http://bugs.php.net/bug.php?id=53063&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=53063&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=53063&r=trysnapshot53 Try a snapshot (trunk): http://bugs.php.net/fix.php?id=53063&r=trysnapshottrunk Fixed in SVN: http://bugs.php.net/fix.php?id=53063&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=53063&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=53063&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=53063&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=53063&r=needscript Try newer version: http://bugs.php.net/fix.php?id=53063&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=53063&r=support Expected behavior: http://bugs.php.net/fix.php?id=53063&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=53063&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=53063&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=53063&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=53063&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=53063&r=dst IIS Stability: http://bugs.php.net/fix.php?id=53063&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=53063&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=53063&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=53063&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=53063&r=mysqlcfg