Bug 23290: XSLT system preferences allow administrators to exploit XML and XSLT vulnerabilities
The problem is that administrators can provide XSLTs that
can read from the server and network and write to the server. The
This patch prevents the Koha::XSLT_Handler from running
XSLT stylesheets that call actions such as read_file, write_file,
read_net, and write_net as documented at
https://metacpan.org/pod/XML::LibXSLT#XML::LibXSLT::Security
(Previous tests suggested issues with XML external entities
causing read file like vulnerabilities but these were not
reproducible)
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
projects / koha.git / commit