[nginx] Xslt: disabled loading of external entities over the net...

[Maxim Dounin]

details:   http://freenginx.org/hg/nginx/rev/081c50f47347
branches:  
changeset: 9434:081c50f47347
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Sun Nov 09 12:01:35 2025 +0300
description:
Xslt: disabled loading of external entities over the network.

Loading of external entities, including ones defined with the xml_entities
directive, happens while parsing the XML response, and therefore loading
over the network can block the entire worker process for a long time.
Loading of external DTD subset is disabled for the very same reason since
initial version of the module.

Further, loading over the network is anyway not available by default since
libxml2 2.13.0 (Jun 12 2024) and completely removed in libxml2 2.15.0
(Sep 15 2025).

As such, the XML_PARSE_NONET parsing option (available since libxml2 2.6.2
from 2003) is now used to prevent loading of external entities over the
network.

diffstat:

 src/http/modules/ngx_http_xslt_filter_module.c |  2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diffs (12 lines):

diff --git a/src/http/modules/ngx_http_xslt_filter_module.c b/src/http/modules/ngx_http_xslt_filter_module.c
--- a/src/http/modules/ngx_http_xslt_filter_module.c
+++ b/src/http/modules/ngx_http_xslt_filter_module.c
@@ -382,7 +382,7 @@ ngx_http_xslt_add_chunk(ngx_http_request
             return NGX_ERROR;
         }
         xmlCtxtUseOptions(ctxt, XML_PARSE_NOENT|XML_PARSE_DTDLOAD
-                                               |XML_PARSE_NOWARNING);
+                                |XML_PARSE_NONET|XML_PARSE_NOWARNING);
 
         ctxt->sax->externalSubset = ngx_http_xslt_sax_external_subset;
         ctxt->sax->setDocumentLocator = NULL;