Edit report at http://bugs.php.net/bug.php?id=52257&edit=1
ID: 52257
Comment by: dave at dajobe dot org
Reported by: matth at mlalonde dot net
Summary: module php5-librdf causes libxslt's security module
to fail
Status: Open
Type: Bug
Package: XSLT related
Operating System: Ubuntu LTS
PHP Version: 5.3.2
Block user comment: N
New Comment:
(Found the add comment button!)
Just to explain a bit more why raptor does this.
It's using libxslt as part of the GRDDL rdf parser to execute XSLT
scripts off the web, never from local files. So it makes sense to
refuse any local file read/write as the default security policy.
This does however conflict with general user-use of libxslt on local
files in another module, such as PHP's xslt module.
So in one memory namespace, you need to be both restrictive and
permissive, yet the *default* security policy can only be set
libxslt-wide:
http://www.xmlsoft.org/XSLT/html/libxslt-security.html#xsltSetDefaultSecurityPrefs
The context-specific policy can be different:
http://www.xmlsoft.org/XSLT/html/libxslt-security.html#xsltSetCtxtSecurityPrefs
Previous Comments:
------------------------------------------------------------------------
[2010-08-06 18:58:02] [email protected]
some additional infos from Dave Beckett:
but anyway, more info at
http://bugs.librdf.org/mantis/view.php?id=379
I found I could duplicate the error and as I suspected if I made raptor
skip
over xsltSetSecurityPrefs() and xsltSetDefaultSecurityPrefs() calls,
the
program works as expected.
I can probably patch raptor to fix this, then patch the librdf-php to
use that
fix, but that's quite indirect.
Seems all libxslt users in the same memory space will have this issue.
------------------------------------------------------------------------
[2010-08-06 15:35:38] [email protected]
to add some more context about the issue, i talked to the author of php
rdf ext
on the #reland freenode IRC channel:
[15:23] <dajobe> lsmith: it's not the php module, it's raptor which
redland uses
[15:23] <dajobe> it sets the libxslt security policy
[15:24] <dajobe> http://librdf.org/raptor/api-1.4/raptor-section-
general.html#raptor-set-libxslt-security-preferences
[15:25] <dajobe> it's hard to do - how is raptor/redland suppose to know
when a
calling application is also wanting to adjust parameters of a shared
library
[15:26] <dajobe> it's the calling app's responsibility - php in this
case
------------------------------------------------------------------------
[2010-07-30 10:55:44] penny at liip dot ch
I had exactly the same problem with the following versions:
libxslt1.1 1.1.24-2
php5 5.2.6.dfsg.1-1+lenny8
php5-librdf 1.0.7.1-1+b1
Purging php5-librdf fixed the problem.
------------------------------------------------------------------------
[2010-07-06 00:46:03] matth at mlalonde dot net
Description:
------------
I have been able to replicate under three environment running Ubuntu LTS
php5 (cli, cgi or mod_php), libxslt 1.1.26 and the php5 module and
librdf0 and the php5 module.
With the above setup, any <xsl:import href="local/file.xsl" /> call will
fail with the error
XSLTProcessor::importStylesheet(): Local file read for
/path/to/local/file.xsl refused
Using XSLCache will result in a segfault and no errors.
Removing php5's librdf module fixes the issue.
Test script:
---------------
# a.php
<?php
ini_set('display_errors', 1);
ini_set('error_reporting', E_ALL|E_STRICT|E_NOTICE);
//phpinfo();
$doc = new DOMDocument();
$xsl = new XSLTProcessor();
$xsl_filename = __DIR__ . '/collection.xsl';
$xml_filename = __DIR__ . '/collection.xml';
$doc->load($xsl_filename);
$xsl->importStyleSheet($doc);
$doc->load($xml_filename);
echo $xsl->transformToXML($doc);
# collection.xml
<collection>
<cd>
<title>Fight for your mind</title>
<artist>Ben Harper</artist>
<year>1995</year>
</cd>
<cd>
<title>Electric Ladyland</title>
<artist>Jimi Hendrix</artist>
<year>1997</year>
</cd>
</collection>
# collection.xsl
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform";>
<xsl:import href="file:///var/www/pgadmin/temp/collection2.xsl" />
<xsl:param name="owner" select="'Nicolas Eliaszewicz'"/>
<xsl:output method="html" encoding="iso-8859-1" indent="no"/>
<xsl:template match="collection">
Hey! Welcome to <xsl:value-of select="$owner"/>'s sweet CD
collection!
<xsl:apply-templates/>
</xsl:template>
<xsl:template match="cd">
<h1><xsl:value-of select="title"/></h1>
<h2>by <xsl:value-of select="artist"/> - <xsl:value-of
select="year"/></h2>
<hr />
</xsl:template>
</xsl:stylesheet>
# collection2.xsl
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform";>
<xsl:param name="owner" select="'Nicolas Eliaszewicz'"/>
<xsl:output method="html" encoding="iso-8859-1" indent="no"/>
<xsl:template match="collection">
Hey! Welcome to <xsl:value-of select="$owner"/>'s sweet CD
collection!
<xsl:apply-templates/>
</xsl:template>
<xsl:template match="cd">
<h1><xsl:value-of select="title"/></h1>
<h2>by00 <xsl:value-of select="artist"/> - <xsl:value-of
select="year"/></h2>
<hr />
</xsl:template>
</xsl:stylesheet>
Expected result:
----------------
A parsed XSLT document with the imported stylesheets. And no errors ;)
Actual result:
--------------
Warning: XSLTProcessor::importStylesheet(): error in /var/www/temp/a.php
on line 14
Call Stack:
0.0002 627304 1. {main}() /var/www/temp/a.php:0
0.0006 631128 2. XSLTProcessor->importStylesheet()
/var/www/temp/a.php:14
Warning: XSLTProcessor::importStylesheet(): Local file read for
file:///var/www/pgadmin/temp/collection2.xsl refused in
/var/www/temp/a.php on line 14
Call Stack:
0.0002 627304 1. {main}() /var/www/temp/a.php:0
0.0006 631128 2. XSLTProcessor->importStylesheet()
/var/www/temp/a.php:14
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/bug.php?id=52257&edit=1
