Fix security framework bypass
xsltCheckRead and xsltCheckWrite return -1 in case of error but callers don't check for this condition and allow access. With a specially crafted URL, xsltCheckRead could be tricked into returning an error because of a supposedly invalid URL that would still be loaded succesfully later on. Fixes #12. Thanks to Felix Wilhelm for the report.
It is good that errors are now treated as permission denied. It seems strange, however, that there is no error message created to let somebody find out what happened.
@jkonczal In libxslt, if a function returns an error code, it means that an error has already been reported. Here's an example: https://gitlab.gnome.org/GNOME/libxslt/blob/master/libxslt/security.c#L443
That explains it. Thanks.
Is it any change to make new release with that fix?