chregu                                   Wed, 05 Oct 2011 09:56:01 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=317759

Log:
Added xsl.security_prefs ini option to define forbidden operations within XSLT
stylesheets, default is not to enable write operations. This option won't be
in 5.4, since there's a new method. Bug #54446

Bug: https://bugs.php.net/54446 (To be documented) Arbitrary file creation via 
libxslt 'output' extension
      
Changed paths:
    U   php/php-src/branches/PHP_5_3/NEWS
    U   php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c
    U   php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.h
    U   php/php-src/branches/PHP_5_3/ext/xsl/xsltprocessor.c

Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS   2011-10-05 09:51:08 UTC (rev 317758)
+++ php/php-src/branches/PHP_5_3/NEWS   2011-10-05 09:56:01 UTC (rev 317759)
@@ -90,7 +90,13 @@
 - SPL:
   . Fixed bug #55807 (Wrong value for splFileObject::SKIP_EMPTY).
     (jgotti at modedemploi dot fr, Hannes)
+
+- XSL:
+  . Added xsl.security_prefs ini option to define forbidden operations within 
XSLT
+    stylesheets, default is not to enable write operations. This option won't 
be
+    in 5.4, since there's a new method. Bug #54446 (Chregu, Nicolas Gregoire)

+
 23 Aug 2011, PHP 5.3.8

 - Core:

Modified: php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c      2011-10-05 09:51:08 UTC 
(rev 317758)
+++ php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c      2011-10-05 09:56:01 UTC 
(rev 317759)
@@ -141,6 +141,11 @@
 }
 /* }}} */

+PHP_INI_BEGIN()
+//XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK 
| XSL_SECPREF_WRITE_FILE == 44
+PHP_INI_ENTRY("xsl.security_prefs", "44", PHP_INI_ALL, NULL)
+PHP_INI_END()
+
 /* {{{ PHP_MINIT_FUNCTION
  */
 PHP_MINIT_FUNCTION(xsl)
@@ -167,6 +172,13 @@
        REGISTER_LONG_CONSTANT("XSL_CLONE_NEVER",    -1,     CONST_CS | 
CONST_PERSISTENT);
        REGISTER_LONG_CONSTANT("XSL_CLONE_ALWAYS",    1,     CONST_CS | 
CONST_PERSISTENT);

+       REGISTER_LONG_CONSTANT("XSL_SECPREF_NONE",             
XSL_SECPREF_NONE,             CONST_CS | CONST_PERSISTENT);
+       REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_FILE",        
XSL_SECPREF_READ_FILE,        CONST_CS | CONST_PERSISTENT);
+       REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_FILE",       
XSL_SECPREF_WRITE_FILE,       CONST_CS | CONST_PERSISTENT);
+       REGISTER_LONG_CONSTANT("XSL_SECPREF_CREATE_DIRECTORY", 
XSL_SECPREF_CREATE_DIRECTORY, CONST_CS | CONST_PERSISTENT);
+       REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_NETWORK",     
XSL_SECPREF_READ_NETWORK,     CONST_CS | CONST_PERSISTENT);
+       REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_NETWORK",    
XSL_SECPREF_WRITE_NETWORK,    CONST_CS | CONST_PERSISTENT);
+
        REGISTER_LONG_CONSTANT("LIBXSLT_VERSION",           LIBXSLT_VERSION,    
        CONST_CS | CONST_PERSISTENT);
        REGISTER_STRING_CONSTANT("LIBXSLT_DOTTED_VERSION",  
LIBXSLT_DOTTED_VERSION,     CONST_CS | CONST_PERSISTENT);

@@ -175,6 +187,8 @@
        REGISTER_STRING_CONSTANT("LIBEXSLT_DOTTED_VERSION",  
LIBEXSLT_DOTTED_VERSION,     CONST_CS | CONST_PERSISTENT);
 #endif

+    REGISTER_INI_ENTRIES();
+
        return SUCCESS;
 }
 /* }}} */
@@ -258,6 +272,8 @@

        xsltCleanupGlobals();

+       UNREGISTER_INI_ENTRIES();
+
        return SUCCESS;
 }
 /* }}} */

Modified: php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.h
===================================================================
--- php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.h      2011-10-05 09:51:08 UTC 
(rev 317758)
+++ php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.h      2011-10-05 09:56:01 UTC 
(rev 317759)
@@ -32,6 +32,7 @@
 #include <libxslt/xsltInternals.h>
 #include <libxslt/xsltutils.h>
 #include <libxslt/transform.h>
+#include <libxslt/security.h>
 #if HAVE_XSL_EXSLT
 #include <libexslt/exslt.h>
 #include <libexslt/exsltconfig.h>
@@ -43,6 +44,13 @@
 #include <libxslt/extensions.h>
 #include <libxml/xpathInternals.h>

+#define XSL_SECPREF_NONE 0
+#define XSL_SECPREF_READ_FILE 2
+#define XSL_SECPREF_WRITE_FILE 4
+#define XSL_SECPREF_CREATE_DIRECTORY 8
+#define XSL_SECPREF_READ_NETWORK 16
+#define XSL_SECPREF_WRITE_NETWORK 32
+
 typedef struct _xsl_object {
        zend_object  std;
        void *ptr;

Modified: php/php-src/branches/PHP_5_3/ext/xsl/xsltprocessor.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/xsl/xsltprocessor.c        2011-10-05 
09:51:08 UTC (rev 317758)
+++ php/php-src/branches/PHP_5_3/ext/xsl/xsltprocessor.c        2011-10-05 
09:56:01 UTC (rev 317759)
@@ -475,6 +475,9 @@
        zval *doXInclude, *member;
        zend_object_handlers *std_hnd;
        FILE *f;
+       int secPrefsError;
+       int secPrefsIni;
+       xsltSecurityPrefsPtr secPrefs = NULL;

        node = php_libxml_import_node(docp TSRMLS_CC);

@@ -531,11 +534,56 @@
        }
        efree(member);

-       newdocp = xsltApplyStylesheetUser(style, doc, (const char**) params,  
NULL, f, ctxt);
+
+       secPrefsIni = INI_INT("xsl.security_prefs");
+
+       //if securityPrefs is set to NONE, we don't have to do any checks, but 
otherwise...
+       if (secPrefsIni != XSL_SECPREF_NONE) {
+               secPrefs = xsltNewSecurityPrefs();
+               if (secPrefsIni & XSL_SECPREF_READ_FILE ) {
+                       if (0 != xsltSetSecurityPrefs(secPrefs, 
XSLT_SECPREF_READ_FILE, xsltSecurityForbid)) {
+                               secPrefsError = 1;
+                       }
+               }
+               if (secPrefsIni & XSL_SECPREF_WRITE_FILE ) {
+                       if (0 != xsltSetSecurityPrefs(secPrefs, 
XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid)) {
+                               secPrefsError = 1;
+                       }
+               }
+               if (secPrefsIni & XSL_SECPREF_CREATE_DIRECTORY ) {
+                       if (0 != xsltSetSecurityPrefs(secPrefs, 
XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid)) {
+                               secPrefsError = 1;
+                       }
+               }
+               if (secPrefsIni & XSL_SECPREF_READ_NETWORK) {
+                       if (0 != xsltSetSecurityPrefs(secPrefs, 
XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid)) {
+                               secPrefsError = 1;
+                       }
+               }
+               if (secPrefsIni & XSL_SECPREF_WRITE_NETWORK) {
+                       if (0 != xsltSetSecurityPrefs(secPrefs, 
XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid)) {
+                               secPrefsError = 1;
+                       }
+               }
+
+               if (0 != xsltSetCtxtSecurityPrefs(secPrefs, ctxt)) {
+                       secPrefsError = 1;
+               }
+       }
+
+       if (secPrefsError == 1) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Can't set libxslt 
security properties, not doing transformation for security reasons");
+       } else {
+               newdocp = xsltApplyStylesheetUser(style, doc, (const char**) 
params,  NULL, f, ctxt);
+       }
        if (f) {
                fclose(f);
        }
+
        xsltFreeTransformContext(ctxt);
+       if (secPrefs) {
+               xsltFreeSecurityPrefs(secPrefs);
+       }

        if (intern->node_list != NULL) {
                zend_hash_destroy(intern->node_list);

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to