[nginx] Xslt: fixed xml_entities to be resolved from prefix.

[Maxim Dounin]

details:   http://freenginx.org/hg/nginx/rev/6c1b100b965a
branches:  
changeset: 9433:6c1b100b965a
user:      Maxim Dounin <mdounin at mdounin.ru>
date:      Fri Oct 31 08:08:06 2025 +0300
description:
Xslt: fixed xml_entities to be resolved from prefix.

Previously, relative values of xml_entities set in the configuration
were not processed with ngx_conf_full_name() and therefore resolved
from the process current working directory, leading to changes in
behaviour depending on the current directory during startup.  This also
differs from the expected behaviour of configuration directives, where
relative paths are expected to be resolved either from prefix or from
configuration prefix.

Fix is to use ngx_conf_full_name() to resolve xml_entities from prefix.

Note that xml_entities is handled by libxml2 xmlParseDTD() and therefore
might be used with URIs, such as "http://example.com/entities.dtd" or
"file:///path/to/entities.dtd".  This possibility was never documented
though, and highly questionable, especially nowadays (in particular, due
to no HTTPS support).  Further, support for HTTP URIs was disabled by
default in libxml2 2.13.0 and completely removed in libxml2 2.15.0.
As such, URIs are not specially handled and therefore effectively disabled
by this change.

diffstat:

 src/http/modules/ngx_http_xslt_filter_module.c |  4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diffs (14 lines):

diff --git a/src/http/modules/ngx_http_xslt_filter_module.c b/src/http/modules/ngx_http_xslt_filter_module.c
--- a/src/http/modules/ngx_http_xslt_filter_module.c
+++ b/src/http/modules/ngx_http_xslt_filter_module.c
@@ -834,6 +834,10 @@ ngx_http_xslt_entities(ngx_conf_t *cf, n
 
     value = cf->args->elts;
 
+    if (ngx_conf_full_name(cf->cycle, &value[1], 0) != NGX_OK) {
+        return NGX_CONF_ERROR;
+    }
+
     xmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_xslt_filter_module);
 
     file = xmcf->dtd_files.elts;