php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #52257 module php5-librdf causes libxslt's security module to fail
Submitted: 2010-07-06 00:46 UTC Modified: 2013-12-02 13:50 UTC
Votes:7
Avg. Score:5.0 ± 0.0
Reproduced:7 of 7 (100.0%)
Same Version:5 (71.4%)
Same OS:4 (57.1%)
From: matth at mlalonde dot net Assigned:
Status: Not a bug Package: XSLT related
PHP Version: 5.3.2 OS: Ubuntu LTS
Private report: No CVE-ID:
 [2010-07-06 00:46 UTC] matth at mlalonde dot net
Description:
------------
I have been able to replicate under three environment running Ubuntu LTS php5 (cli, cgi or mod_php), libxslt 1.1.26 and the php5 module and librdf0 and the php5 module.

With the above setup, any <xsl:import href="local/file.xsl" /> call will fail with the error

XSLTProcessor::importStylesheet(): Local file read for /path/to/local/file.xsl refused

Using XSLCache will result in a segfault and no errors.

Removing php5's librdf module fixes the issue.

Test script:
---------------
# a.php 
<?php
ini_set('display_errors', 1);
ini_set('error_reporting', E_ALL|E_STRICT|E_NOTICE);

//phpinfo();

$doc = new DOMDocument();
$xsl = new XSLTProcessor();

$xsl_filename = __DIR__ . '/collection.xsl';
$xml_filename = __DIR__ . '/collection.xml';

$doc->load($xsl_filename);
$xsl->importStyleSheet($doc);

$doc->load($xml_filename);
echo $xsl->transformToXML($doc);

# collection.xml
<collection>
 <cd>
  <title>Fight for your mind</title>
  <artist>Ben Harper</artist>
  <year>1995</year>
 </cd>
 <cd>
  <title>Electric Ladyland</title>
  <artist>Jimi Hendrix</artist>
  <year>1997</year>
 </cd>
</collection>

# collection.xsl
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 <xsl:import href="file:///var/www/pgadmin/temp/collection2.xsl" />
 <xsl:param name="owner" select="'Nicolas Eliaszewicz'"/>
 <xsl:output method="html" encoding="iso-8859-1" indent="no"/>
 <xsl:template match="collection">
  Hey! Welcome to <xsl:value-of select="$owner"/>'s sweet CD collection!
  <xsl:apply-templates/>
 </xsl:template>
 <xsl:template match="cd">
  <h1><xsl:value-of select="title"/></h1>
  <h2>by <xsl:value-of select="artist"/> - <xsl:value-of select="year"/></h2>
  <hr />
 </xsl:template>
</xsl:stylesheet>

# collection2.xsl
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 <xsl:param name="owner" select="'Nicolas Eliaszewicz'"/>
 <xsl:output method="html" encoding="iso-8859-1" indent="no"/>
 <xsl:template match="collection">
  Hey! Welcome to <xsl:value-of select="$owner"/>'s sweet CD collection!
  <xsl:apply-templates/>
 </xsl:template>
 <xsl:template match="cd">
  <h1><xsl:value-of select="title"/></h1>
  <h2>by00 <xsl:value-of select="artist"/> - <xsl:value-of select="year"/></h2>
  <hr />
 </xsl:template>
</xsl:stylesheet>


Expected result:
----------------
A parsed XSLT document with the imported stylesheets. And no errors ;)

Actual result:
--------------
Warning: XSLTProcessor::importStylesheet(): error in /var/www/temp/a.php on line 14

Call Stack:
    0.0002     627304   1. {main}() /var/www/temp/a.php:0
    0.0006     631128   2. XSLTProcessor->importStylesheet() /var/www/temp/a.php:14


Warning: XSLTProcessor::importStylesheet(): Local file read for file:///var/www/pgadmin/temp/collection2.xsl refused in /var/www/temp/a.php on line 14

Call Stack:
    0.0002     627304   1. {main}() /var/www/temp/a.php:0
    0.0006     631128   2. XSLTProcessor->importStylesheet() /var/www/temp/a.php:14


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-07-30 10:55 UTC] penny at liip dot ch
I had exactly the same problem with the following versions:

libxslt1.1          1.1.24-2
php5                5.2.6.dfsg.1-1+lenny8
php5-librdf         1.0.7.1-1+b1

Purging php5-librdf fixed the problem.
 [2010-08-06 15:35 UTC] lsmith@php.net
to add some more context about the issue, i talked to the author of php rdf ext 
on the #reland freenode IRC channel:

[15:23] <dajobe> lsmith: it's not the php module, it's raptor which redland uses
[15:23] <dajobe> it sets the libxslt security policy
[15:24] <dajobe> http://librdf.org/raptor/api-1.4/raptor-section-
general.html#raptor-set-libxslt-security-preferences
[15:25] <dajobe> it's hard to do - how is raptor/redland suppose to know when a 
calling application is also wanting to adjust parameters of a shared library
[15:26] <dajobe> it's the calling app's responsibility - php in this case
 [2010-08-06 18:58 UTC] lsmith@php.net
some additional infos from Dave Beckett:
but anyway, more info at
http://bugs.librdf.org/mantis/view.php?id=379

I found I could duplicate the error and as I suspected if I made raptor skip 
over xsltSetSecurityPrefs()  and xsltSetDefaultSecurityPrefs() calls, the 
program works as expected.

I can probably patch raptor to fix this, then patch the librdf-php to use that 
fix, but that's quite indirect.

Seems all libxslt users in the same memory space will have this issue.
 [2010-08-06 19:45 UTC] dave at dajobe dot org
(Found the add comment button!)

Just to explain a bit more why raptor does this.

It's using libxslt as part of the GRDDL rdf parser to execute XSLT scripts off the web, never from local files.  So it makes sense to refuse any local file read/write as the default security policy.

This does however conflict with general user-use of libxslt on local files in another module, such as PHP's xslt module.

So in one memory namespace, you need to be both restrictive and permissive, yet the *default* security policy can only be set libxslt-wide:
http://www.xmlsoft.org/XSLT/html/libxslt-security.html#xsltSetDefaultSecurityPrefs

The context-specific policy can be different:
http://www.xmlsoft.org/XSLT/html/libxslt-security.html#xsltSetCtxtSecurityPrefs
 [2012-07-21 16:12 UTC] jdmadea at gmail dot com
I have some PHP code using librdf. I use php from the command line to run unit 
tests. I also use it to generate documentation with phpDocumentor which, of 
course, uses libxslt. 

It took a while to work out why phpDocumentor was failing. The error, for the 
sake of people searching and having difficulty finding any info, was:

PHP Warning:  XSLTProcessor::importStylesheet(): error in 
/usr/share/php/phpDocumentor/src/phpDocumentor/Plugin/Core/Transformer/Writer/Xs
l.php on line 62


> It's using libxslt as part of the GRDDL rdf parser to execute XSLT scripts off 
> the web, never from local files.  So it makes sense to refuse any local file 
> read/write as the default security policy.

That seems like an unnecessary policy to me. Surely remote files are generally 
less safe than local ones.
 [2013-12-02 13:50 UTC] mike@php.net
-Status: Open +Status: Not a bug
 [2013-12-02 13:50 UTC] mike@php.net
So using XSLTProcessor::setSecurityPrefs() seems to be needed if you use something external (to PHP) like ext-librdf, which overrides the default security preferences.

Fine.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 24 02:02:10 2014 UTC