Re: [PHP-CVS] svn: /php/php-src/branches/PHP_5_3/ NEWS ext/xsl/php_xsl.c ext/xsl/php_xsl.h ext/xsl/xsltprocessor.c

Thu, 06 Oct 2011 07:31:45 -0700 

On Wed, Oct 5, 2011 at 11:56, Christian Stocker <chr...@php.net> wrote:
> chregu                                   Wed, 05 Oct 2011 09:56:01 +0000
>
> Revision: http://svn.php.net/viewvc?view=revision&revision=317759
>
> Log:
> Added xsl.security_prefs ini option to define forbidden operations within XSLT
> stylesheets, default is not to enable write operations. This option won't be
> in 5.4, since there's a new method. Bug #54446
>
> Bug: https://bugs.php.net/54446 (To be documented) Arbitrary file creation 
> via libxslt 'output' extension
>
> Changed paths:
>    U   php/php-src/branches/PHP_5_3/NEWS
>    U   php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c
>    U   php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.h
>    U   php/php-src/branches/PHP_5_3/ext/xsl/xsltprocessor.c
>
> Modified: php/php-src/branches/PHP_5_3/NEWS
> ===================================================================
> --- php/php-src/branches/PHP_5_3/NEWS   2011-10-05 09:51:08 UTC (rev 317758)
> +++ php/php-src/branches/PHP_5_3/NEWS   2011-10-05 09:56:01 UTC (rev 317759)
> @@ -90,7 +90,13 @@
>  - SPL:
>   . Fixed bug #55807 (Wrong value for splFileObject::SKIP_EMPTY).
>     (jgotti at modedemploi dot fr, Hannes)
> +
> +- XSL:
> +  . Added xsl.security_prefs ini option to define forbidden operations 
> within XSLT
> +    stylesheets, default is not to enable write operations. This option 
> won't be
> +    in 5.4, since there's a new method. Bug #54446 (Chregu, Nicolas Gregoire)
>
> +
>  23 Aug 2011, PHP 5.3.8
>
>  - Core:
>
> Modified: php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c
> ===================================================================
> --- php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c      2011-10-05 09:51:08 
> UTC (rev 317758)
> +++ php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c      2011-10-05 09:56:01 
> UTC (rev 317759)
> @@ -141,6 +141,11 @@
>  }
>  /* }}} */
>
> +PHP_INI_BEGIN()
> +//XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK 
> | XSL_SECPREF_WRITE_FILE == 44
> +PHP_INI_ENTRY("xsl.security_prefs", "44", PHP_INI_ALL, NULL)
> +PHP_INI_END()


// comments are not allowed :)
And please add this option to the php.ini-* files, with similar note
as the news entry.

-Hannes

--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to