On Wed, Oct 5, 2011 at 11:56, Christian Stocker <chr...@php.net> wrote: > chregu Wed, 05 Oct 2011 09:56:01 +0000 > > Revision: http://svn.php.net/viewvc?view=revision&revision=317759 > > Log: > Added xsl.security_prefs ini option to define forbidden operations within XSLT > stylesheets, default is not to enable write operations. This option won't be > in 5.4, since there's a new method. Bug #54446 > > Bug: https://bugs.php.net/54446 (To be documented) Arbitrary file creation > via libxslt 'output' extension > > Changed paths: > U php/php-src/branches/PHP_5_3/NEWS > U php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c > U php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.h > U php/php-src/branches/PHP_5_3/ext/xsl/xsltprocessor.c > > Modified: php/php-src/branches/PHP_5_3/NEWS > =================================================================== > --- php/php-src/branches/PHP_5_3/NEWS 2011-10-05 09:51:08 UTC (rev 317758) > +++ php/php-src/branches/PHP_5_3/NEWS 2011-10-05 09:56:01 UTC (rev 317759) > @@ -90,7 +90,13 @@ > - SPL: > . Fixed bug #55807 (Wrong value for splFileObject::SKIP_EMPTY). > (jgotti at modedemploi dot fr, Hannes) > + > +- XSL: > + . Added xsl.security_prefs ini option to define forbidden operations > within XSLT > + stylesheets, default is not to enable write operations. This option > won't be > + in 5.4, since there's a new method. Bug #54446 (Chregu, Nicolas Gregoire) > > + > 23 Aug 2011, PHP 5.3.8 > > - Core: > > Modified: php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c > =================================================================== > --- php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c 2011-10-05 09:51:08 > UTC (rev 317758) > +++ php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c 2011-10-05 09:56:01 > UTC (rev 317759) > @@ -141,6 +141,11 @@ > } > /* }}} */ > > +PHP_INI_BEGIN() > +//XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK > | XSL_SECPREF_WRITE_FILE == 44 > +PHP_INI_ENTRY("xsl.security_prefs", "44", PHP_INI_ALL, NULL) > +PHP_INI_END()
// comments are not allowed :) And please add this option to the php.ini-* files, with similar note as the news entry. -Hannes -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php