[PATCH 0 of 2] XSLT filter improvements
Maxim Dounin
mdounin at mdounin.ru
Tue Nov 4 02:42:24 UTC 2025
Hello!
The following patch series addresses some shortcomings of the XSLT filter
module (ngx_http_xslt_module), notably:
- Attempts to load external entities over network are now rejected.
These anyway won't work with libxml2 2.13.0 or later, but with older
versions of the library attempts to load external entities over network
might block the entire worker process for a long time, and therefore
shouldn't be used.
- Loading of external entities from the internal DTD subset (that is,
the XML document itself) via system identifiers are now forbidden by
default, making it slightly safer to use the module with untrusted XML
documents. Loading via public identifiers (with appropriate system
XML catalogs) and from the external DTD subset (provided with the
"xml_entities" directive) still works as usual. If loading of external
entities from the internal DTD subset via system identifiers is
intentional, the "xml_external_entities" directive can be used to
re-enable loading of such entities.
Review and testing appreciated.
--
Maxim Dounin
More information about the nginx-devel
mailing list