From 7baa8d349c40d444f917396e5762165b358a26b9 Mon Sep 17 00:00:00 2001 From: Marcel de Rooy Date: Fri, 15 Nov 2019 11:04:53 +0000 Subject: [PATCH] Bug 23290: Apply the changes in Security to Base now Until now Base did not yet use Security. The security lines are removed from Base here by calls to Security. A new test must be added still. Test plan: Ensure that t/db_dependent/XSLT_Handler.t still passes. Signed-off-by: Marcel de Rooy Signed-off-by: David Cook Signed-off-by: Martin Renvoize --- Koha/XSLT/Base.pm | 63 +++++++++++++++++++---------------------------- 1 file changed, 25 insertions(+), 38 deletions(-) diff --git a/Koha/XSLT/Base.pm b/Koha/XSLT/Base.pm index fc8c317b86..84fe8d5806 100644 --- a/Koha/XSLT/Base.pm +++ b/Koha/XSLT/Base.pm @@ -1,6 +1,6 @@ package Koha::XSLT::Base; -# Copyright 2014 Rijksmuseum +# Copyright 2014, 2019 Rijksmuseum, Prosentient Systems # # This file is part of Koha. # @@ -19,12 +19,12 @@ package Koha::XSLT::Base; =head1 NAME -Koha::XSLT_Handler - Facilitate use of XSLT transformations +Koha::XSLT::Base - Facilitate use of XSLT transformations =head1 SYNOPSIS - use Koha::XSLT_Handler; - my $xslt_engine = Koha::XSLT_Handler->new; + use Koha::XSLT::Base; + my $xslt_engine = Koha::XSLT::Base->new; my $output = $xslt_engine->transform($xml, $xsltfilename); $output = $xslt_engine->transform({ xml => $xml, file => $file }); $output = $xslt_engine->transform({ xml => $xml, code => $code }); @@ -43,7 +43,7 @@ Koha::XSLT_Handler - Facilitate use of XSLT transformations =head2 new - Create handler object (via Class::Accessor) + Create handler object =head2 transform @@ -118,6 +118,7 @@ Koha::XSLT_Handler - Facilitate use of XSLT transformations use Modern::Perl; use XML::LibXML; use XML::LibXSLT; +use Koha::XSLT::Security; use base qw(Class::Accessor); @@ -132,6 +133,20 @@ use constant XSLTH_ERR_5 => 'XSLTH_ERR_PARSING_DATA'; use constant XSLTH_ERR_6 => 'XSLTH_ERR_TRANSFORMING'; use constant XSLTH_ERR_7 => 'XSLTH_NO_STRING_PASSED'; +=head2 new + + my $xslt_engine = Koha::XSLT::Base->new; + +=cut + +sub new { + my ($class, $params) = @_; + my $self = $class->SUPER::new($params); + $self->{_security} = Koha::XSLT::Security->new; + $self->{_security}->register_callbacks; + return $self; +} + =head2 transform my $output= $xslt_engine->transform( $xml, $xsltfilename, [$format] ); @@ -195,6 +210,7 @@ sub transform { #parse input and transform my $parser = XML::LibXML->new(); + $self->{_security}->set_parser_options($parser); my $source = eval { $parser->parse_string($xml) }; if ($@) { $self->_set_error( XSLTH_ERR_5, $@ ); @@ -310,6 +326,7 @@ sub _load { #load sheet my $parser = XML::LibXML->new; + $self->{_security}->set_parser_options($parser); my $style_doc = eval { $parser->load_xml( $self->_load_xml_args($filename, $code) ) }; @@ -318,40 +335,9 @@ sub _load { return; } - my $security = XML::LibXSLT::Security->new(); - $security->register_callback( read_file => sub { - warn "read_file called in XML::LibXSLT"; - #i.e. when using the exsl:document() element or document() function (to read a XML file) - my ($tctxt,$value) = @_; - return 0; - }); - $security->register_callback( write_file => sub { - warn "write_file called in XML::LibXSLT"; - #i.e. when using the exsl:document element (or document() function?) (to write an output file of many possible types) - #e.g. - # - # breached! - # - my ($tctxt,$value) = @_; - return 0; - }); - $security->register_callback( read_net => sub { - warn "read_net called in XML::LibXSLT"; - #i.e. when using the document() function (to read XML from the network) - #e.g. - my ($tctxt,$value) = @_; - return 0; - }); - $security->register_callback( write_net => sub { - warn "write_net called in XML::LibXSLT"; - #NOTE: it's unknown how one would invoke this, but covering our bases anyway - my ($tctxt,$value) = @_; - return 0; - }); - #parse sheet my $xslt = XML::LibXSLT->new; - $xslt->security_callbacks( $security ); + $self->{_security}->set_callbacks($xslt); $rv = $code? $digest.$codelen: $filename; $self->{xslt_hash}->{$rv} = eval { $xslt->parse_stylesheet($style_doc) }; @@ -375,12 +361,13 @@ sub _set_error { my ( $self, $errcode, $warn ) = @_; $self->{err} = $errcode; #set or clear error - warn 'XSLT_Handler: '. $warn if $warn && $self->{print_warns}; + warn 'XSLT::Base: '. $warn if $warn && $self->{print_warns}; } =head1 AUTHOR Marcel de Rooy, Rijksmuseum Netherlands + David Cook, Prosentient Systems =cut -- 2.39.5