Xslt: xml_external_entities directive
Loading of external entities defined in the internal DTD subset,
that is, in the XML document itself, is now disabled by default, and
can be re-enabled with "xml_external_entities on;". This makes
processing of untrusted XML responses with the xslt module slightly
safer (though still not recommended unless you thoughtfully considered
risks).
To prevent loading we intercept entities defined in the internal
subset via the entityDecl callback, and remove system identifiers from
entities. This ensures that entities cannot be loaded directly, but
still allows using of public entities with appropriate system XML
catalog.
Additionally, since libxml2 before 2.14.0 (Mar 27 2025) accepts
in-document catalogs by default, these are explicitly disabled.
Signed-off-by: Vadim Zhestikov <v.zhestikov@f5.com>
Origin: https://freenginx.org/hg/nginx/rev/
94dae9ab1018