Set up our own libxslt security context in xmlhelp, as per #i117643.

Patch by: me (cherry picked from commit ae1f34be5c9a49fae1eacdb3c1e5267acea53441) Change-Id: I0e5277b17243f6b8f5f4303206cf446b10dd0aef Reviewed-on: https://gerrit.libreoffice.org/61597 Reviewed-by: Michael Stahl <Michael.Stahl@cib.de> Tested-by: Michael Stahl <Michael.Stahl@cib.de>
author: Damjan Jovanovic <damjan@apache.org> 2018-10-04 17:49:09 +0000
committer: Michael Stahl <Michael.Stahl@cib.de> 2018-10-10 10:30:57 +0200
commit: 99c59c594ff6747abef4529fbb2251751737eb7e (patch)
tree: 528d0444912cd0dca394ae134a9841fec40f8dfb /xmlhelp/source/cxxhelp
parent: de29c77c0e20b607c4fd4f535bb711ce24c3a853 (diff)
1 files changed, 23 insertions, 7 deletions
diff --git a/xmlhelp/source/cxxhelp/provider/urlparameter.cxx b/xmlhelp/source/cxxhelp/provider/urlparameter.cxx
index 85e4cb4051ad..a0f0c94a434d 100644
--- a/xmlhelp/source/cxxhelp/provider/urlparameter.cxx
+++ b/xmlhelp/source/cxxhelp/provider/urlparameter.cxx
@@ -31,6 +31,7 @@
 #include <libxslt/xslt.h>
 #include <libxslt/transform.h>
 #include <libxslt/xsltutils.h>
+#include <libxslt/security.h>
 #include "db.hxx"
 #include <com/sun/star/io/XActiveDataSink.hpp>
 #include <com/sun/star/io/XInputStream.hpp>
@@ -847,14 +848,29 @@ InputStreamTransformer::InputStreamTransformer( URLParameter* urlParam,
 
         xmlDocPtr doc = xmlParseFile("vnd.sun.star.zip:/");
 
-        xmlDocPtr res = xsltApplyStylesheet(cur, doc, parameter);
-        if (res)
+        xmlDocPtr res = nullptr;
+        xsltTransformContextPtr transformContext = xsltNewTransformContext(cur, doc);
+        if (transformContext)
         {
-            xmlChar *doc_txt_ptr=nullptr;
-            int doc_txt_len;
-            xsltSaveResultToString(&doc_txt_ptr, &doc_txt_len, res, cur);
-            addToBuffer(reinterpret_cast<char*>(doc_txt_ptr), doc_txt_len);
-            xmlFree(doc_txt_ptr);
+            xsltSecurityPrefsPtr securityPrefs = xsltNewSecurityPrefs();
+            if (securityPrefs)
+            {
+                xsltSetSecurityPrefs(securityPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityAllow);
+                if (xsltSetCtxtSecurityPrefs(securityPrefs, transformContext) == 0)
+                {
+                    res = xsltApplyStylesheetUser(cur, doc, parameter, nullptr, nullptr, transformContext);
+                    if (res)
+                    {
+                        xmlChar *doc_txt_ptr=nullptr;
+                        int doc_txt_len;
+                        xsltSaveResultToString(&doc_txt_ptr, &doc_txt_len, res, cur);
+                        addToBuffer(reinterpret_cast<char*>(doc_txt_ptr), doc_txt_len);
+                        xmlFree(doc_txt_ptr);
+                    }
+                }
+                xsltFreeSecurityPrefs(securityPrefs);
+            }
+            xsltFreeTransformContext(transformContext);
         }
         xmlPopInputCallbacks(); //filePatch
         xmlPopInputCallbacks(); //helpPatch
author	Damjan Jovanovic <damjan@apache.org>	2018-10-04 17:49:09 +0000
committer	Michael Stahl <Michael.Stahl@cib.de>	2018-10-10 10:30:57 +0200
commit	99c59c594ff6747abef4529fbb2251751737eb7e (patch)
tree	528d0444912cd0dca394ae134a9841fec40f8dfb /xmlhelp/source/cxxhelp
parent	de29c77c0e20b607c4fd4f535bb711ce24c3a853 (diff)