Set up our own libxslt security context in xmlhelp, as per #117643.

Patch by: me

Set up our own libxslt security context in xmlhelp, as per #117643.
Patch by: me
ae1f34be · Damjan Jovanovic · 79bfa972 · ae1f34be
Kaydet (Commit) ae1f34be authored Eki 04, 2018 tarafından Damjan Jovanovic
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 7 deletions

urlparameter.cxx xmlhelp/source/cxxhelp/provider/urlparameter.cxx +23 -7

No files found.
--- a/xmlhelp/source/cxxhelp/provider/urlparameter.cxx
+++ b/xmlhelp/source/cxxhelp/provider/urlparameter.cxx
@@ -45,6 +45,7 @@
 #include <libxslt/xslt.h>
 #include <libxslt/transform.h>
 #include <libxslt/xsltutils.h>
+#include <libxslt/security.h>
 #include "db.hxx"
 #include <com/sun/star/io/XActiveDataSink.hpp>
 #include <com/sun/star/io/XInputStream.hpp>
@@ -1060,14 +1061,29 @@ InputStreamTransformer::InputStreamTransformer( URLParameter* urlParam,
        xmlDocPtr doc = xmlParseFile("vnd.sun.star.zip:/");
-        xmlDocPtr res = xsltApplyStylesheet(cur, doc, parameter);
+        xmlDocPtr res = NULL;
-        if (res)
+        xsltTransformContextPtr transformContext = xsltNewTransformContext(cur, doc);
+        if (transformContext)
        {
-            xmlChar *doc_txt_ptr=0;
+            xsltSecurityPrefsPtr securityPrefs = xsltNewSecurityPrefs();
-            int doc_txt_len;
+            if (securityPrefs)
-            xsltSaveResultToString(&doc_txt_ptr, &doc_txt_len, res, cur);
+            {
-            addToBuffer((const char*)doc_txt_ptr, doc_txt_len);
+                xsltSetSecurityPrefs(securityPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityAllow);
-            xmlFree(doc_txt_ptr);
+                if (xsltSetCtxtSecurityPrefs(securityPrefs, transformContext) == 0)
+                {
+                    res = xsltApplyStylesheetUser(cur, doc, parameter, NULL, NULL, transformContext);
+                    if (res)
+                    {
+                        xmlChar *doc_txt_ptr=0;
+                        int doc_txt_len;
+                        xsltSaveResultToString(&doc_txt_ptr, &doc_txt_len, res, cur);
+                        addToBuffer((const char*)doc_txt_ptr, doc_txt_len);
+                        xmlFree(doc_txt_ptr);
+                    }
+                }
+                xsltFreeSecurityPrefs(securityPrefs);
+            }
+            xsltFreeTransformContext(transformContext);
        }
        xmlPopInputCallbacks(); //filePatch
        xmlPopInputCallbacks(); //helpPatch