Edit report at https://bugs.php.net/bug.php?id=52257&edit=1
ID: 52257
Comment by: jdmadea at gmail dot com
Reported by: matth at mlalonde dot net
Summary: module php5-librdf causes libxslt's security module
to fail
Status: Open
Type: Bug
Package: XSLT related
Operating System: Ubuntu LTS
PHP Version: 5.3.2
Block user comment: N
Private report: N
New Comment:
I have some PHP code using librdf. I use php from the command line to run unit
tests. I also use it to generate documentation with phpDocumentor which, of
course, uses libxslt.
It took a while to work out why phpDocumentor was failing. The error, for the
sake of people searching and having difficulty finding any info, was:
PHP Warning: XSLTProcessor::importStylesheet(): error in
/usr/share/php/phpDocumentor/src/phpDocumentor/Plugin/Core/Transformer/Writer/Xs
l.php on line 62
> It's using libxslt as part of the GRDDL rdf parser to execute XSLT scripts
> off
> the web, never from local files. So it makes sense to refuse any local file
> read/write as the default security policy.
That seems like an unnecessary policy to me. Surely remote files are generally
less safe than local ones.
Previous Comments:
------------------------------------------------------------------------
[2010-08-06 19:45:04] dave at dajobe dot org
(Found the add comment button!)
Just to explain a bit more why raptor does this.
It's using libxslt as part of the GRDDL rdf parser to execute XSLT scripts off
the web, never from local files. So it makes sense to refuse any local file
read/write as the default security policy.
This does however conflict with general user-use of libxslt on local files in
another module, such as PHP's xslt module.
So in one memory namespace, you need to be both restrictive and permissive, yet
the *default* security policy can only be set libxslt-wide:
http://www.xmlsoft.org/XSLT/html/libxslt-security.html#xsltSetDefaultSecurityPrefs
The context-specific policy can be different:
http://www.xmlsoft.org/XSLT/html/libxslt-security.html#xsltSetCtxtSecurityPrefs
------------------------------------------------------------------------
[2010-08-06 18:58:02] lsm...@php.net
some additional infos from Dave Beckett:
but anyway, more info at
http://bugs.librdf.org/mantis/view.php?id=379
I found I could duplicate the error and as I suspected if I made raptor skip
over xsltSetSecurityPrefs() and xsltSetDefaultSecurityPrefs() calls, the
program works as expected.
I can probably patch raptor to fix this, then patch the librdf-php to use that
fix, but that's quite indirect.
Seems all libxslt users in the same memory space will have this issue.
------------------------------------------------------------------------
[2010-08-06 15:35:38] lsm...@php.net
to add some more context about the issue, i talked to the author of php rdf ext
on the #reland freenode IRC channel:
[15:23] <dajobe> lsmith: it's not the php module, it's raptor which redland uses
[15:23] <dajobe> it sets the libxslt security policy
[15:24] <dajobe> http://librdf.org/raptor/api-1.4/raptor-section-
general.html#raptor-set-libxslt-security-preferences
[15:25] <dajobe> it's hard to do - how is raptor/redland suppose to know when a
calling application is also wanting to adjust parameters of a shared library
[15:26] <dajobe> it's the calling app's responsibility - php in this case
------------------------------------------------------------------------
[2010-07-30 10:55:44] penny at liip dot ch
I had exactly the same problem with the following versions:
libxslt1.1 1.1.24-2
php5 5.2.6.dfsg.1-1+lenny8
php5-librdf 1.0.7.1-1+b1
Purging php5-librdf fixed the problem.
------------------------------------------------------------------------
[2010-07-06 00:46:03] matth at mlalonde dot net
Description:
------------
I have been able to replicate under three environment running Ubuntu LTS php5
(cli, cgi or mod_php), libxslt 1.1.26 and the php5 module and librdf0 and the
php5 module.
With the above setup, any <xsl:import href="local/file.xsl" /> call will fail
with the error
XSLTProcessor::importStylesheet(): Local file read for /path/to/local/file.xsl
refused
Using XSLCache will result in a segfault and no errors.
Removing php5's librdf module fixes the issue.
Test script:
---------------
# a.php
<?php
ini_set('display_errors', 1);
ini_set('error_reporting', E_ALL|E_STRICT|E_NOTICE);
//phpinfo();
$doc = new DOMDocument();
$xsl = new XSLTProcessor();
$xsl_filename = __DIR__ . '/collection.xsl';
$xml_filename = __DIR__ . '/collection.xml';
$doc->load($xsl_filename);
$xsl->importStyleSheet($doc);
$doc->load($xml_filename);
echo $xsl->transformToXML($doc);
# collection.xml
<collection>
<cd>
<title>Fight for your mind</title>
<artist>Ben Harper</artist>
<year>1995</year>
</cd>
<cd>
<title>Electric Ladyland</title>
<artist>Jimi Hendrix</artist>
<year>1997</year>
</cd>
</collection>
# collection.xsl
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform";>
<xsl:import href="file:///var/www/pgadmin/temp/collection2.xsl" />
<xsl:param name="owner" select="'Nicolas Eliaszewicz'"/>
<xsl:output method="html" encoding="iso-8859-1" indent="no"/>
<xsl:template match="collection">
Hey! Welcome to <xsl:value-of select="$owner"/>'s sweet CD collection!
<xsl:apply-templates/>
</xsl:template>
<xsl:template match="cd">
<h1><xsl:value-of select="title"/></h1>
<h2>by <xsl:value-of select="artist"/> - <xsl:value-of select="year"/></h2>
<hr />
</xsl:template>
</xsl:stylesheet>
# collection2.xsl
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform";>
<xsl:param name="owner" select="'Nicolas Eliaszewicz'"/>
<xsl:output method="html" encoding="iso-8859-1" indent="no"/>
<xsl:template match="collection">
Hey! Welcome to <xsl:value-of select="$owner"/>'s sweet CD collection!
<xsl:apply-templates/>
</xsl:template>
<xsl:template match="cd">
<h1><xsl:value-of select="title"/></h1>
<h2>by00 <xsl:value-of select="artist"/> - <xsl:value-of select="year"/></h2>
<hr />
</xsl:template>
</xsl:stylesheet>
Expected result:
----------------
A parsed XSLT document with the imported stylesheets. And no errors ;)
Actual result:
--------------
Warning: XSLTProcessor::importStylesheet(): error in /var/www/temp/a.php on
line 14
Call Stack:
0.0002 627304 1. {main}() /var/www/temp/a.php:0
0.0006 631128 2. XSLTProcessor->importStylesheet()
/var/www/temp/a.php:14
Warning: XSLTProcessor::importStylesheet(): Local file read for
file:///var/www/pgadmin/temp/collection2.xsl refused in /var/www/temp/a.php on
line 14
Call Stack:
0.0002 627304 1. {main}() /var/www/temp/a.php:0
0.0006 631128 2. XSLTProcessor->importStylesheet()
/var/www/temp/a.php:14
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=52257&edit=1
