1 package Koha::XSLT::Security;
3 # Copyright 2019 Prosentient Systems, Rijksmuseum
5 # This file is part of Koha.
7 # Koha is free software; you can redistribute it and/or modify it under the
8 # terms of the GNU General Public License as published by the Free Software
9 # Foundation; either version 3 of the License, or (at your option) any later
12 # Koha is distributed in the hope that it will be useful, but WITHOUT ANY
13 # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
14 # A PARTICULAR PURPOSE. See the GNU General Public License for more details.
16 # You should have received a copy of the GNU General Public License along
17 # with Koha; if not, write to the Free Software Foundation, Inc.,
18 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22 Koha::XSLT::Security - Add security features to Koha::XSLT::Base
26 use Koha::XSLT::Security;
27 my $secu = Koha::XSLT::Security->new;
28 $secu->register_callbacks;
29 $secu->set_parser_options($parser);
33 This object allows you to apply security options to Koha::XSLT::Base.
34 It looks for parser options in koha-conf.xml.
39 use Data::Dumper qw/Dumper/;
43 use base qw(Class::Accessor);
49 Creates object, checks if koha-conf.xml contains additional configuration
50 options, and checks if XML::LibXSLT::Security is present.
58 $self->{_options} = {};
59 my $conf = C4::Context->config('koha_xslt_security');
60 if( $conf && ref($conf) eq 'HASH' ) {
61 $self->{_options} = $conf;
64 my $security = eval { XML::LibXSLT::Security->new };
66 $self->{_security_obj} = $security;
68 warn "No XML::LibXSLT::Security object: $@"; #TODO Move to about ?
71 return bless $self, $class;
74 =head2 register_callbacks
76 Register LibXSLT security callbacks
80 sub register_callbacks {
83 my $security = $self->{_security_obj};
86 $security->register_callback( read_file => sub {
87 warn "read_file called in XML::LibXSLT";
88 #i.e. when using the exsl:document() element or document() function (to read a XML file)
89 my ($tctxt,$value) = @_;
92 $security->register_callback( write_file => sub {
93 warn "write_file called in XML::LibXSLT";
94 #i.e. when using the exsl:document element (or document() function?) (to write an output file of many possible types)
96 #<exsl:document href="file:///tmp/breached.txt">
97 # <xsl:text>breached!</xsl:text>
99 my ($tctxt,$value) = @_;
102 $security->register_callback( read_net => sub {
103 warn "read_net called in XML::LibXSLT";
104 #i.e. when using the document() function (to read XML from the network)
105 #e.g. <xsl:copy-of select="document('http://localhost')" />
106 my ($tctxt,$value) = @_;
109 $security->register_callback( write_net => sub {
110 warn "write_net called in XML::LibXSLT";
111 #NOTE: it's unknown how one would invoke this, but covering our bases anyway
112 my ($tctxt,$value) = @_;
119 my $xslt = XML::LibXSLT->new;
120 $security->set_callbacks( $xslt );
122 Apply registered callbacks to a specific xslt instance.
127 my ($self, $xslt) = @_;
129 my $security = $self->{_security_obj};
130 return if !$security;
131 $xslt->security_callbacks( $security );
134 =head2 set_parser_options
136 $security->set_parser_options($parser);
138 If koha-conf.xml includes koha_xslt_security options, set them.
139 We start with implementing expand_entities.
143 sub set_parser_options {
144 my ($self, $parser) = @_;
145 my $conf = $self->{_options};
147 if( $conf->{expand_entities} ) {
148 _set_option($parser, 'expand_entities', 1);
150 # If not explicitly set, we should disable expanding for security
151 _set_option($parser, 'expand_entities', 0);
156 my ($parser, $option_name, $value) = @_;
157 if( $parser->option_exists($option_name) ) {
158 $parser->set_option($option_name, $value);
160 #TODO Should we warn if it does not exist?
165 David Cook, Prosentient Systems
166 Marcel de Rooy, Rijksmuseum Netherlands