You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@openoffice.apache.org by da...@apache.org on 2018/10/04 17:49:10 UTC
svn commit: r1842836 - /openoffice/trunk/main/xmlhelp/source/cxxhelp/provider/urlparameter.cxx

Author: damjan
Date: Thu Oct  4 17:49:09 2018
New Revision: 1842836

URL: http://svn.apache.org/viewvc?rev=1842836&view=rev
Log:
Set up our own libxslt security context in xmlhelp, as per #117643.

Patch by: me


Modified:
    openoffice/trunk/main/xmlhelp/source/cxxhelp/provider/urlparameter.cxx

Modified: openoffice/trunk/main/xmlhelp/source/cxxhelp/provider/urlparameter.cxx
URL: http://svn.apache.org/viewvc/openoffice/trunk/main/xmlhelp/source/cxxhelp/provider/urlparameter.cxx?rev=1842836&r1=1842835&r2=1842836&view=diff
==============================================================================
--- openoffice/trunk/main/xmlhelp/source/cxxhelp/provider/urlparameter.cxx (original)
+++ openoffice/trunk/main/xmlhelp/source/cxxhelp/provider/urlparameter.cxx Thu Oct  4 17:49:09 2018
@@ -45,6 +45,7 @@
 #include <libxslt/xslt.h>
 #include <libxslt/transform.h>
 #include <libxslt/xsltutils.h>
+#include <libxslt/security.h>
 #include "db.hxx"
 #include <com/sun/star/io/XActiveDataSink.hpp>
 #include <com/sun/star/io/XInputStream.hpp>
@@ -1060,14 +1061,29 @@ InputStreamTransformer::InputStreamTrans
 
         xmlDocPtr doc = xmlParseFile("vnd.sun.star.zip:/");
 
-        xmlDocPtr res = xsltApplyStylesheet(cur, doc, parameter);
-        if (res)
-		{
-			xmlChar *doc_txt_ptr=0;
-			int doc_txt_len;
-			xsltSaveResultToString(&doc_txt_ptr, &doc_txt_len, res, cur);
-			addToBuffer((const char*)doc_txt_ptr, doc_txt_len);
-			xmlFree(doc_txt_ptr);
+        xmlDocPtr res = NULL;
+        xsltTransformContextPtr transformContext = xsltNewTransformContext(cur, doc);
+        if (transformContext)
+        {
+            xsltSecurityPrefsPtr securityPrefs = xsltNewSecurityPrefs();
+            if (securityPrefs)
+            {
+                xsltSetSecurityPrefs(securityPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityAllow);
+                if (xsltSetCtxtSecurityPrefs(securityPrefs, transformContext) == 0)
+                {
+                    res = xsltApplyStylesheetUser(cur, doc, parameter, NULL, NULL, transformContext);
+                    if (res)
+                    {
+                        xmlChar *doc_txt_ptr=0;
+                        int doc_txt_len;
+                        xsltSaveResultToString(&doc_txt_ptr, &doc_txt_len, res, cur);
+                        addToBuffer((const char*)doc_txt_ptr, doc_txt_len);
+                        xmlFree(doc_txt_ptr);
+                    }
+                }
+                xsltFreeSecurityPrefs(securityPrefs);
+            }
+            xsltFreeTransformContext(transformContext);
         }
         xmlPopInputCallbacks();	//filePatch
         xmlPopInputCallbacks();	//helpPatch