[xml/sgml-pkgs] Bug#880215: xsltproc: XInclude with https doesn't work, and message is unhelpful

spam_from_debian_bugs_2017 at chezphil.org spam_from_debian_bugs_2017 at chezphil.org
Mon Oct 30 16:59:23 UTC 2017 

Package: xsltproc
Version: 1.1.29-2.1
Severity: normal

Dear Maintainer,

It seems that xsltproc's xinclude implementation doesn't support https. 
This seems to be a known issue upstream, with a patch submitted back 
in 2007 - https://mail.gnome.org/archives/xml/2007-March/msg00087.html . 
For whatever reason this has never been fixed.

In my case, an xincluded http resource stopped working.  The root 
cause was that the http server had been reconfigured to redirect all 
http requests to https (this is now quite common, thanks to widespread 
use of free SSL certs from letsencrypt).  The error from xsltproc was 
not helpful:

error : Unknown IO error
warning: failed to load external entity "http://path/omitted"
input.xml:173: element include: XInclude error : could not load http://path/omitted, and no fallback was found

I only worked out what was going on after stracing xsltproc and seeing 
that it got a 301 response from the server, and then looked for a local 
file named https://path/omitted .

Ideally, upstream xsltproc's xinclude would support https resources. 
An alternative would be for Debian to patch it to do so, since code 
to do so does seem to be available.  Failing that, it should be 
improved to recognise that an attempt is being made to use an unsupported 
URL scheme and explicitly report that in the error message.

(Also, is there a security issue with redirecting from an http URL 
to a local file?)


Regards, Phil.


-- System Information:
Debian Release: 9.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: arm64 (aarch64)

Kernel: Linux 4.9.23-std-1 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages xsltproc depends on:
ii  libc6       2.24-11+deb9u1
ii  libxml2     2.9.4+dfsg1-2.2+deb9u1
ii  libxslt1.1  1.1.29-2.1

xsltproc recommends no packages.

xsltproc suggests no packages.

-- no debconf information

More information about the debian-xml-sgml-pkgs mailing list