Re: [xslt] libxslt security framework

From: Daniel Veillard <veillard redhat com>
To: The Gnome XSLT library mailing-list <xslt gnome org>
Subject: Re: [xslt] libxslt security framework
Date: Thu, 17 Sep 2009 15:47:43 +0200

On Wed, Jun 24, 2009 at 09:56:28PM +0200, Benjamin Vetter wrote:
> 
> Hi List,
> 
> I'm using libxslt through cpan's xml::libxslt.
> When I use the Security Framework and deny anything through something like
> 
> sub violate { return 0; };
> $security->register_callback( read_file  => \&violate );
> $security->register_callback( write_file => \&violate );
> $security->register_callback( create_dir => \&violate );
> $security->register_callback( read_net   => \&violate );
> $security->register_callback( write_net  => \&violate );
> 
> the document() function fails like expected, but xsl:include or
> xsl:import can import arbitrary additional stylesheets.
> Is it a documented behaviour?
> I think it's a rather unexpected behaviour and could potentially lead
> to a security issue.
> 
> Comments appreciated.
> I'm using libxslt-1.1.9

  that's very very old, please update to 1.1.24 it may be fixed, if not
please report,

   thanks,

Daniel

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
daniel veillard com  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]