libxslt read file rights problems on debian Lenny under mod perl 2.0

libxslt read file rights problems on debian Lenny under mod perl 2.0

am 28.10.2009 11:48:27 von Cosimo Streppone

Hi everyone,

I'm experiencing a rather interesting problem after migrating
one of our web applications to debian lenny.

We have xml+xslt based web rendering, and we use XML::LibXSLT
(currently on Lenny, 0.66), to do this.

After migrating to Lenny, XML::LibXSLT refuses to read in
and parse any stylesheet, with errors like:

Local file read for /some/path/www/xsl/stylesheet.xsl refused
error
xsltLoadStyleDocument: read rights for /some/path/www/xsl/stylesheet.xsl
denied
compilation error: file /some/path/www/xsl/anotherone.xsl line 14
element include
xsl:include : unable to load /some/path/www/xsl/stylesheet.xsl

There's a deep investigation going on, but before any other details
I might add, does anyone know anything about this issue?

I can't think we're the first ones on Earth
working with libxslt under lenny's mp (or maybe we are :)

Now for the gory details.
If I patch libxslt itself to disable the security checks, everything
is fine. That means shortcircuiting xsltGetSecurityPrefs() to return NULL.

If I try to do this with the security callbacks API in XML::LibXSLT,
no way I can make this work under mod_perl. On command line, seems to
be fine. XML::LibXSLT passes all tests, even the security related.

If I hack XML::LibXSLT XS code to bypass the security checks,
*nothing happens* (???). It's like the security checks are still
there, even reinstalling the module and restarting apache. (???)

--
Cosimo

Re: libxslt read file rights problems on debian Lenny under mod perl2.0

am 28.10.2009 22:07:53 von Cosimo Streppone

Petr Pajas wrote:

> Is there another web application running on your apache web server
> that is using libxslt (directly or indirectly via some other library)?

No, I'm running just one web app.

I can probably try to run a really small test case
in a mod_perl handler, without loading my entire application,
to see how that works out.

Thanks for the idea,


> 2009/10/28 Cosimo Streppone :
>> Hi everyone,
>>
>> I'm experiencing a rather interesting problem after migrating
>> one of our web applications to debian lenny.
>>
>> We have xml+xslt based web rendering, and we use XML::LibXSLT
>> (currently on Lenny, 0.66), to do this.
>>
>> After migrating to Lenny, XML::LibXSLT refuses to read in
>> and parse any stylesheet, with errors like:
>>
>> Local file read for /some/path/www/xsl/stylesheet.xsl refused
>> error
>> xsltLoadStyleDocument: read rights for
>> /some/path/www/xsl/stylesheet.xsl
>> denied
>> compilation error: file /some/path/www/xsl/anotherone.xsl line 14
>> element
>> include
>> xsl:include : unable to load /some/path/www/xsl/stylesheet.xsl
>>
>> [...]

--
Cosimo