https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42109 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au --- Comment #6 from David Cook <dcook@prosentient.com.au> --- Overall, I think that sounds like a pretty good idea. My only hesitation is with the user specifying the xsl_file. I suppose that XSLT is executed using Koha::XSLT::Base which uses Koha::XSLT::Security so that's good. That said, depending on the errors returned by the process there might be the ability to indirectly disclose server information (xsl_file gets its existence validated if it's a file, so you could compare successful and unsuccessful times to figure out if certain files and directories exist), although I suppose that's a problem would exist with any XSLT system preference. -- I'm curious what files get used in practice in the wild. Usually for this kind of preference I'd use Cwd::abs_path($filename) to get the canonical pathname and make sure the base filepath matches one I've configured for that instance, so they can't traverse the system. It might be worthwhile having "base_xslt_paths" or something in koha-conf.xml or another configuration file. I imagine some people might include XSLTs in /etc/koha/sites/<instancename>/file.xsl, so could always do a mix of /etc/koha/sites/<instancename> and /usr/share/koha/opac/htdocs or something. Just a thought... -- You are receiving this mail because: You are watching all bug changes.