Re: [xslt] libxslt security framework
- From: Daniel Veillard <veillard redhat com>
- To: The Gnome XSLT library mailing-list <xslt gnome org>
- Subject: Re: [xslt] libxslt security framework
- Date: Thu, 17 Sep 2009 15:47:43 +0200
On Wed, Jun 24, 2009 at 09:56:28PM +0200, Benjamin Vetter wrote:
>
> Hi List,
>
> I'm using libxslt through cpan's xml::libxslt.
> When I use the Security Framework and deny anything through something like
>
> sub violate { return 0; };
> $security->register_callback( read_file => \&violate );
> $security->register_callback( write_file => \&violate );
> $security->register_callback( create_dir => \&violate );
> $security->register_callback( read_net => \&violate );
> $security->register_callback( write_net => \&violate );
>
> the document() function fails like expected, but xsl:include or
> xsl:import can import arbitrary additional stylesheets.
> Is it a documented behaviour?
> I think it's a rather unexpected behaviour and could potentially lead
> to a security issue.
>
> Comments appreciated.
> I'm using libxslt-1.1.9
that's very very old, please update to 1.1.24 it may be fixed, if not
please report,
thanks,
Daniel
--
Daniel Veillard | libxml Gnome XML XSLT toolkit http://xmlsoft.org/
daniel veillard com | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library http://libvirt.org/
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]