php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #53063 <xsl:include> and <xsl:import> are broken
Submitted: 2010-10-14 08:37 UTC Modified: 2014-12-30 10:41 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:1 (50.0%)
From: robin2008 at altruists dot org Assigned:
Status: No Feedback Package: XSLT related
PHP Version: 5.3.3 OS: Ubuntu 10.04
Private report: No CVE-ID: None
View Add Comment Developer Edit
Have you experienced this issue?
Rate the importance of this bug to you:

 [2010-10-14 08:37 UTC] robin2008 at altruists dot org 
Description:
------------
Somewhere between 5.3.0 and 5.3.2, the security model for XSL has been over tightened. XSL stylesheets which refer to other stylesheet by <xsl:import> or <xsl:include> now fail to work.

Test script:
---------------
<?php
// PHP 5.3.2 XSLT BUG - <xsl:import> (and <xsl:include>) are broken

$aDOM= 		 new DOMDocument();
$aDOM->loadXML('<?xml version="1.0"?><etc/>');
$stylesheet= new DOMDocument();
$proc=       new XSLTProcessor();
$stylesheet->loadXML('<?xml version="1.0"?><stylesheet version="1.0" xmlns="http://www.w3.org/1999/XSL/Transform"><import href="somesheet.xslt"/><template match="/"/></stylesheet>');

$proc->importStyleSheet($stylesheet); 
$oops= $proc->transformToDoc($aDOM);

?>

Expected result:
----------------
Assuming there is a valid stylesheet at "somesheet.xslt", the transform should work as per the W3C spec.

Am I missing something? Is there, for example, a way to set this security default somewhere? Or a class method for XSLTProcessor to disable this?

Actual result:
--------------
Warning: XSLTProcessor::importStylesheet() [xsltprocessor.importstylesheet]: error in /home/robin/f2f/hardcode/xsl-import.php on line 10

Warning: XSLTProcessor::importStylesheet() [xsltprocessor.importstylesheet]: Local file read for /home/robin/f2f/hardcode/somesheet.xslt refused in /home/robin/f2f/hardcode/xsl-import.php on line 10

Warning: XSLTProcessor::importStylesheet() [xsltprocessor.importstylesheet]: error in /home/robin/f2f/hardcode/xsl-import.php on line 10

Warning: XSLTProcessor::importStylesheet() [xsltprocessor.importstylesheet]: xsl:import: read rights for /home/robin/f2f/hardcode/somesheet.xslt denied in /home/robin/f2f/hardcode/xsl-import.php on line 10

Warning: XSLTProcessor::transformToDoc() [xsltprocessor.transformtodoc]: No stylesheet associated to this object in /home/robin/f2f/hardcode/xsl-import.php on line 11

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-12-02 09:30 UTC] r3wald at gmail dot com 
Please have a look at: http://bugs.php.net/bug.php?id=52257 .

I had exactly the same issue as you have. Disabling redland.so finally resolved 
it.

Robert
 [2013-12-02 13:32 UTC] mike@php.net
-Status: Open +Status: Feedback
 [2013-12-02 13:32 UTC] mike@php.net 
Cannot reproduce.
 [2013-12-02 13:56 UTC] r3wald at gmail dot com 
Ditto. No problems anymore.
 [2014-12-30 10:41 UTC] php-bugs at lists dot php dot net 
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Apr 28 20:01:29 2024 UTC