From 99c59c594ff6747abef4529fbb2251751737eb7e Mon Sep 17 00:00:00 2001 From: Damjan Jovanovic Date: Thu, 4 Oct 2018 17:49:09 +0000 Subject: Set up our own libxslt security context in xmlhelp, as per #i117643. Patch by: me (cherry picked from commit ae1f34be5c9a49fae1eacdb3c1e5267acea53441) Change-Id: I0e5277b17243f6b8f5f4303206cf446b10dd0aef Reviewed-on: https://gerrit.libreoffice.org/61597 Reviewed-by: Michael Stahl Tested-by: Michael Stahl --- xmlhelp/source/cxxhelp/provider/urlparameter.cxx | 30 ++++++++++++++++++------ 1 file changed, 23 insertions(+), 7 deletions(-) (limited to 'xmlhelp/source/cxxhelp') diff --git a/xmlhelp/source/cxxhelp/provider/urlparameter.cxx b/xmlhelp/source/cxxhelp/provider/urlparameter.cxx index 85e4cb4051ad..a0f0c94a434d 100644 --- a/xmlhelp/source/cxxhelp/provider/urlparameter.cxx +++ b/xmlhelp/source/cxxhelp/provider/urlparameter.cxx @@ -31,6 +31,7 @@ #include #include #include +#include #include "db.hxx" #include #include @@ -847,14 +848,29 @@ InputStreamTransformer::InputStreamTransformer( URLParameter* urlParam, xmlDocPtr doc = xmlParseFile("vnd.sun.star.zip:/"); - xmlDocPtr res = xsltApplyStylesheet(cur, doc, parameter); - if (res) + xmlDocPtr res = nullptr; + xsltTransformContextPtr transformContext = xsltNewTransformContext(cur, doc); + if (transformContext) { - xmlChar *doc_txt_ptr=nullptr; - int doc_txt_len; - xsltSaveResultToString(&doc_txt_ptr, &doc_txt_len, res, cur); - addToBuffer(reinterpret_cast(doc_txt_ptr), doc_txt_len); - xmlFree(doc_txt_ptr); + xsltSecurityPrefsPtr securityPrefs = xsltNewSecurityPrefs(); + if (securityPrefs) + { + xsltSetSecurityPrefs(securityPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityAllow); + if (xsltSetCtxtSecurityPrefs(securityPrefs, transformContext) == 0) + { + res = xsltApplyStylesheetUser(cur, doc, parameter, nullptr, nullptr, transformContext); + if (res) + { + xmlChar *doc_txt_ptr=nullptr; + int doc_txt_len; + xsltSaveResultToString(&doc_txt_ptr, &doc_txt_len, res, cur); + addToBuffer(reinterpret_cast(doc_txt_ptr), doc_txt_len); + xmlFree(doc_txt_ptr); + } + } + xsltFreeSecurityPrefs(securityPrefs); + } + xsltFreeTransformContext(transformContext); } xmlPopInputCallbacks(); //filePatch xmlPopInputCallbacks(); //helpPatch -- cgit