GNOME Bugzilla – Bug 359366
Patch: Pass the full url to network security callbacks
Last modified: 2006-10-11 07:55:43 UTC
When using the security framework, only the url path is passed to the network read and write callbacks. This doesn't allow me to check the protocol being used, the hostname, etc. This occurs in 1.1.17 (I haven't checked any of the older releases). I couldn't find any other way to get the full url inside of the callback. Here's a patch that fixes the network callbacks to pass the full URL. --- libxslt/security.c.old 2004-12-01 02:45:46.000000000 -0700 +++ libxslt/security.c 2006-09-29 11:51:56.000000000 -0600 @@ -360,7 +360,7 @@ */ check = xsltGetSecurityPrefs(sec, XSLT_SECPREF_WRITE_NETWORK); if (check != NULL) { - ret = check(sec, ctxt, uri->path); + ret = check(sec, ctxt, (const char *)URL); if (ret == 0) { xsltTransformError(ctxt, NULL, NULL, "File write for %s refused\n", URL); @@ -420,7 +420,7 @@ */ check = xsltGetSecurityPrefs(sec, XSLT_SECPREF_READ_NETWORK); if (check != NULL) { - ret = check(sec, ctxt, uri->path); + ret = check(sec, ctxt, (const char *)URL); if (ret == 0) { xsltTransformError(ctxt, NULL, NULL, "Network file read for %s refused\n", URL); Thank you, Shane Corgatelli EZ-NetTools
Okay, that's the cases where we use network URL a priori, that makes sense separating the path from the rest of the URL in that context is wrong. Since the xsltSecurityCheck callback definition is: * User provided function to check the value of a string like a file * path or an URL ... it is clear that the original intent was to pass the URL for network accesses, so that's a bug :-) Applied and commited, thanks a lot ! Daniel