Set up our own libxslt security context in xmlhelp, as per #i117643.

Patch by: me (cherry picked from commit ae1f34be) Change-Id: I0e5277b17243f6b8f5f4303206cf446b10dd0aef Reviewed-on: https://gerrit.libreoffice.org/61597Reviewed-by: Michael Stahl <Michael.Stahl@cib.de> Tested-by: Michael Stahl <Michael.Stahl@cib.de>

Set up our own libxslt security context in xmlhelp, as per #i117643.
Patch by: me (cherry picked from commit ae1f34be) Change-Id: I0e5277b17243f6b8f5f4303206cf446b10dd0aef Reviewed-on: https://gerrit.libreoffice.org/61597Reviewed-by: Michael Stahl <Michael.Stahl@cib.de> Tested-by: Michael Stahl <Michael.Stahl@cib.de>
99c59c59 · Damjan Jovanovic · Michael Stahl · de29c77c · 99c59c59
Kaydet (Commit) 99c59c59 authored Eki 04, 2018 tarafından Damjan Jovanovic Kaydeden (comit) Michael Stahl Eki 10, 2018
Show whitespace changes
Inline Side-by-side

Showing with 17 additions and 1 deletion

urlparameter.cxx xmlhelp/source/cxxhelp/provider/urlparameter.cxx +17 -1

No files found.
--- a/xmlhelp/source/cxxhelp/provider/urlparameter.cxx
+++ b/xmlhelp/source/cxxhelp/provider/urlparameter.cxx
@@ -31,6 +31,7 @@
 #include <libxslt/xslt.h>
 #include <libxslt/transform.h>
 #include <libxslt/xsltutils.h>
+#include <libxslt/security.h>
 #include "db.hxx"
 #include <com/sun/star/io/XActiveDataSink.hpp>
 #include <com/sun/star/io/XInputStream.hpp>
@@ -847,7 +848,17 @@ InputStreamTransformer::InputStreamTransformer( URLParameter* urlParam,
        xmlDocPtr doc = xmlParseFile("vnd.sun.star.zip:/");
-        xmlDocPtr res = xsltApplyStylesheet(cur, doc, parameter);
+        xmlDocPtr res = nullptr;
+        xsltTransformContextPtr transformContext = xsltNewTransformContext(cur, doc);
+        if (transformContext)
+        {
+            xsltSecurityPrefsPtr securityPrefs = xsltNewSecurityPrefs();
+            if (securityPrefs)
+            {
+                xsltSetSecurityPrefs(securityPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityAllow);
+                if (xsltSetCtxtSecurityPrefs(securityPrefs, transformContext) == 0)
+                {
+                    res = xsltApplyStylesheetUser(cur, doc, parameter, nullptr, nullptr, transformContext);
                    if (res)
                    {
                        xmlChar *doc_txt_ptr=nullptr;
@@ -856,6 +867,11 @@ InputStreamTransformer::InputStreamTransformer( URLParameter* urlParam,
                        addToBuffer(reinterpret_cast<char*>(doc_txt_ptr), doc_txt_len);
                        xmlFree(doc_txt_ptr);
                    }
+                }
+                xsltFreeSecurityPrefs(securityPrefs);
+            }
+            xsltFreeTransformContext(transformContext);
+        }
        xmlPopInputCallbacks(); //filePatch
        xmlPopInputCallbacks(); //helpPatch
        xmlPopInputCallbacks(); //zipMatch