chregu Mon, 10 Oct 2011 07:59:19 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=317953
Log: Added the xsl.security_prefs option to 5_4 and trunk and mark it as deprecated for BC-reasons Added tests for ini option and combination of both Changed paths: U php/php-src/branches/PHP_5_3/UPGRADING U php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c U php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.h D php/php-src/branches/PHP_5_3/ext/xsl/tests/bug54446.phpt A + php/php-src/branches/PHP_5_3/ext/xsl/tests/bug54446_with_ini.phpt (from php/php-src/branches/PHP_5_3/ext/xsl/tests/bug54446.phpt:r317952) U php/php-src/branches/PHP_5_3/ext/xsl/xsltprocessor.c U php/php-src/branches/PHP_5_4/ext/xsl/php_xsl.c U php/php-src/branches/PHP_5_4/ext/xsl/php_xsl.h A php/php-src/branches/PHP_5_4/ext/xsl/tests/bug54446_with_ini.phpt U php/php-src/branches/PHP_5_4/ext/xsl/xsltprocessor.c U php/php-src/trunk/ext/xsl/php_xsl.c U php/php-src/trunk/ext/xsl/php_xsl.h A php/php-src/trunk/ext/xsl/tests/bug54446_with_ini.phpt U php/php-src/trunk/ext/xsl/xsltprocessor.c
Modified: php/php-src/branches/PHP_5_3/UPGRADING =================================================================== --- php/php-src/branches/PHP_5_3/UPGRADING 2011-10-10 05:33:29 UTC (rev 317952) +++ php/php-src/branches/PHP_5_3/UPGRADING 2011-10-10 07:59:19 UTC (rev 317953) @@ -153,7 +153,16 @@ - SplObjectStorage now has ArrayAccess support. It is also now possible to store associative information with objects in SplObjectStorage. + +===================== +4.1 New in PHP 5.3.9 +===================== +- Write operations within XSLT (for example with the extension sax:output) are + disabled by default. You can define what is forbidden with the INI option + xsl.security_prefs. This option will be marked as deprecated in 5.4 again. + Use the method XsltProcess::setSecurityPrefs($options) there. + ============= 5. Deprecated ============= Modified: php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c =================================================================== --- php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c 2011-10-10 05:33:29 UTC (rev 317952) +++ php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c 2011-10-10 07:59:19 UTC (rev 317953) @@ -180,6 +180,7 @@ REGISTER_LONG_CONSTANT("XSL_SECPREF_CREATE_DIRECTORY", XSL_SECPREF_CREATE_DIRECTORY, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_NETWORK", XSL_SECPREF_READ_NETWORK, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_NETWORK", XSL_SECPREF_WRITE_NETWORK, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("XSL_SECPREF_DEFAULT", XSL_SECPREF_DEFAULT, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("LIBXSLT_VERSION", LIBXSLT_VERSION, CONST_CS | CONST_PERSISTENT); REGISTER_STRING_CONSTANT("LIBXSLT_DOTTED_VERSION", LIBXSLT_DOTTED_VERSION, CONST_CS | CONST_PERSISTENT); Modified: php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.h =================================================================== --- php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.h 2011-10-10 05:33:29 UTC (rev 317952) +++ php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.h 2011-10-10 07:59:19 UTC (rev 317953) @@ -50,6 +50,8 @@ #define XSL_SECPREF_CREATE_DIRECTORY 8 #define XSL_SECPREF_READ_NETWORK 16 #define XSL_SECPREF_WRITE_NETWORK 32 +/* Default == disable all write access == XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_FILE */ +#define XSL_SECPREF_DEFAULT 44 typedef struct _xsl_object { zend_object std; Deleted: php/php-src/branches/PHP_5_3/ext/xsl/tests/bug54446.phpt =================================================================== --- php/php-src/branches/PHP_5_3/ext/xsl/tests/bug54446.phpt 2011-10-10 05:33:29 UTC (rev 317952) +++ php/php-src/branches/PHP_5_3/ext/xsl/tests/bug54446.phpt 2011-10-10 07:59:19 UTC (rev 317953) @@ -1,95 +0,0 @@ ---TEST-- -Bug #54446 (Arbitrary file creation via libxslt 'output' extension) ---SKIPIF-- -<?php -if (!extension_loaded('xsl')) die("skip Extension XSL is required\n"); -?> ---FILE-- -<?php -include("prepare.inc"); - -$outputfile = dirname(__FILE__)."/bug54446test.txt"; -if (file_exists($outputfile)) { - unlink($outputfile); -} - -$sXsl = <<<EOT -<xsl:stylesheet version="1.0" - xmlns:xsl="http://www.w3.org/1999/XSL/Transform" - xmlns:sax="http://icl.com/saxon" - extension-element-prefixes="sax"> - - <xsl:template match="/"> - <sax:output href="$outputfile" method="text"> - <xsl:value-of select="'0wn3d via PHP and libxslt ...'"/> - </sax:output> - </xsl:template> - -</xsl:stylesheet> -EOT; - -$xsl->loadXML( $sXsl ); - -# START XSLT -$proc->importStylesheet( $xsl ); - -# TRASNFORM & PRINT -print $proc->transformToXML( $dom ); - - -if (file_exists($outputfile)) { - print "$outputfile exists, but shouldn't!\n"; -} else { - print "OK, no file created\n"; -} - -#SET NO SECURITY PREFS -ini_set("xsl.security_prefs", XSL_SECPREF_NONE); - -# TRASNFORM & PRINT -print $proc->transformToXML( $dom ); - - -if (file_exists($outputfile)) { - print "OK, file exists\n"; -} else { - print "$outputfile doesn't exist, but should!\n"; -} - -unlink($outputfile); - -#SET SECURITY PREFS AGAIN -ini_set("xsl.security_prefs", XSL_SECPREF_WRITE_FILE | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY); - -# TRASNFORM & PRINT -print $proc->transformToXML( $dom ); - -if (file_exists($outputfile)) { - print "$outputfile exists, but shouldn't!\n"; -} else { - print "OK, no file created\n"; -} - - ---EXPECTF-- -Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d - -Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s - -Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d - -Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d -OK, no file created -OK, file exists - -Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d - -Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s - -Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d - -Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d -OK, no file created ---CREDITS-- -Christian Stocker, chr...@php.net - Copied: php/php-src/branches/PHP_5_3/ext/xsl/tests/bug54446_with_ini.phpt (from rev 317952, php/php-src/branches/PHP_5_3/ext/xsl/tests/bug54446.phpt) =================================================================== --- php/php-src/branches/PHP_5_3/ext/xsl/tests/bug54446_with_ini.phpt (rev 0) +++ php/php-src/branches/PHP_5_3/ext/xsl/tests/bug54446_with_ini.phpt 2011-10-10 07:59:19 UTC (rev 317953) @@ -0,0 +1,95 @@ +--TEST-- +Bug #54446 (Arbitrary file creation via libxslt 'output' extension with php.ini setting) +--SKIPIF-- +<?php +if (!extension_loaded('xsl')) die("skip Extension XSL is required\n"); +?> +--FILE-- +<?php +include("prepare.inc"); + +$outputfile = dirname(__FILE__)."/bug54446test.txt"; +if (file_exists($outputfile)) { + unlink($outputfile); +} + +$sXsl = <<<EOT +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform" + xmlns:sax="http://icl.com/saxon" + extension-element-prefixes="sax"> + + <xsl:template match="/"> + <sax:output href="$outputfile" method="text"> + <xsl:value-of select="'0wn3d via PHP and libxslt ...'"/> + </sax:output> + </xsl:template> + +</xsl:stylesheet> +EOT; + +$xsl->loadXML( $sXsl ); + +# START XSLT +$proc->importStylesheet( $xsl ); + +# TRASNFORM & PRINT +print $proc->transformToXML( $dom ); + + +if (file_exists($outputfile)) { + print "$outputfile exists, but shouldn't!\n"; +} else { + print "OK, no file created\n"; +} + +#SET NO SECURITY PREFS +ini_set("xsl.security_prefs", XSL_SECPREF_NONE); + +# TRASNFORM & PRINT +print $proc->transformToXML( $dom ); + + +if (file_exists($outputfile)) { + print "OK, file exists\n"; +} else { + print "$outputfile doesn't exist, but should!\n"; +} + +unlink($outputfile); + +#SET SECURITY PREFS AGAIN +ini_set("xsl.security_prefs", XSL_SECPREF_WRITE_FILE | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY); + +# TRASNFORM & PRINT +print $proc->transformToXML( $dom ); + +if (file_exists($outputfile)) { + print "$outputfile exists, but shouldn't!\n"; +} else { + print "OK, no file created\n"; +} + + +--EXPECTF-- +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d + +Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s + +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d + +Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d +OK, no file created +OK, file exists + +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d + +Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s + +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d + +Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d +OK, no file created +--CREDITS-- +Christian Stocker, chr...@php.net + Modified: php/php-src/branches/PHP_5_3/ext/xsl/xsltprocessor.c =================================================================== --- php/php-src/branches/PHP_5_3/ext/xsl/xsltprocessor.c 2011-10-10 05:33:29 UTC (rev 317952) +++ php/php-src/branches/PHP_5_3/ext/xsl/xsltprocessor.c 2011-10-10 07:59:19 UTC (rev 317953) @@ -476,7 +476,7 @@ zend_object_handlers *std_hnd; FILE *f; int secPrefsError = 0; - int secPrefsIni; + int secPrefsValue; xsltSecurityPrefsPtr secPrefs = NULL; node = php_libxml_import_node(docp TSRMLS_CC); @@ -535,32 +535,32 @@ efree(member); - secPrefsIni = INI_INT("xsl.security_prefs"); + secPrefsValue = INI_INT("xsl.security_prefs"); - //if securityPrefs is set to NONE, we don't have to do any checks, but otherwise... - if (secPrefsIni != XSL_SECPREF_NONE) { + /* if securityPrefs is set to NONE, we don't have to do any checks, but otherwise... */ + if (secPrefsValue != XSL_SECPREF_NONE) { secPrefs = xsltNewSecurityPrefs(); - if (secPrefsIni & XSL_SECPREF_READ_FILE ) { + if (secPrefsValue & XSL_SECPREF_READ_FILE ) { if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid)) { secPrefsError = 1; } } - if (secPrefsIni & XSL_SECPREF_WRITE_FILE ) { + if (secPrefsValue & XSL_SECPREF_WRITE_FILE ) { if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid)) { secPrefsError = 1; } } - if (secPrefsIni & XSL_SECPREF_CREATE_DIRECTORY ) { + if (secPrefsValue & XSL_SECPREF_CREATE_DIRECTORY ) { if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid)) { secPrefsError = 1; } } - if (secPrefsIni & XSL_SECPREF_READ_NETWORK) { + if (secPrefsValue & XSL_SECPREF_READ_NETWORK) { if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid)) { secPrefsError = 1; } } - if (secPrefsIni & XSL_SECPREF_WRITE_NETWORK) { + if (secPrefsValue & XSL_SECPREF_WRITE_NETWORK) { if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid)) { secPrefsError = 1; } Modified: php/php-src/branches/PHP_5_4/ext/xsl/php_xsl.c =================================================================== --- php/php-src/branches/PHP_5_4/ext/xsl/php_xsl.c 2011-10-10 05:33:29 UTC (rev 317952) +++ php/php-src/branches/PHP_5_4/ext/xsl/php_xsl.c 2011-10-10 07:59:19 UTC (rev 317953) @@ -126,7 +126,8 @@ intern->node_list = NULL; intern->doc = NULL; intern->profiling = NULL; - intern->securityPrefs = XSL_SECPREF_WRITE_FILE | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY; + intern->securityPrefs = XSL_SECPREF_DEFAULT; + intern->securityPrefsSet = 0; zend_object_std_init(&intern->std, class_type TSRMLS_CC); object_properties_init(&intern->std, class_type); @@ -141,6 +142,13 @@ } /* }}} */ +PHP_INI_BEGIN() +/* Default is not allowing any write operations. + XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_WRITE_FILE == 44 +*/ +PHP_INI_ENTRY("xsl.security_prefs", "44", PHP_INI_ALL, NULL) +PHP_INI_END() + /* {{{ PHP_MINIT_FUNCTION */ PHP_MINIT_FUNCTION(xsl) @@ -173,7 +181,8 @@ REGISTER_LONG_CONSTANT("XSL_SECPREF_CREATE_DIRECTORY", XSL_SECPREF_CREATE_DIRECTORY, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_NETWORK", XSL_SECPREF_READ_NETWORK, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_NETWORK", XSL_SECPREF_WRITE_NETWORK, CONST_CS | CONST_PERSISTENT); - + REGISTER_LONG_CONSTANT("XSL_SECPREF_DEFAULT", XSL_SECPREF_DEFAULT, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("LIBXSLT_VERSION", LIBXSLT_VERSION, CONST_CS | CONST_PERSISTENT); REGISTER_STRING_CONSTANT("LIBXSLT_DOTTED_VERSION", LIBXSLT_DOTTED_VERSION, CONST_CS | CONST_PERSISTENT); @@ -182,6 +191,8 @@ REGISTER_STRING_CONSTANT("LIBEXSLT_DOTTED_VERSION", LIBEXSLT_DOTTED_VERSION, CONST_CS | CONST_PERSISTENT); #endif + REGISTER_INI_ENTRIES(); + return SUCCESS; } /* }}} */ @@ -265,6 +276,8 @@ xsltCleanupGlobals(); + UNREGISTER_INI_ENTRIES(); + return SUCCESS; } /* }}} */ Modified: php/php-src/branches/PHP_5_4/ext/xsl/php_xsl.h =================================================================== --- php/php-src/branches/PHP_5_4/ext/xsl/php_xsl.h 2011-10-10 05:33:29 UTC (rev 317952) +++ php/php-src/branches/PHP_5_4/ext/xsl/php_xsl.h 2011-10-10 07:59:19 UTC (rev 317953) @@ -50,6 +50,8 @@ #define XSL_SECPREF_CREATE_DIRECTORY 8 #define XSL_SECPREF_READ_NETWORK 16 #define XSL_SECPREF_WRITE_NETWORK 32 +/* Default == disable all write access == XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_FILE */ +#define XSL_SECPREF_DEFAULT 44 typedef struct _xsl_object { zend_object std; @@ -64,6 +66,7 @@ php_libxml_node_object *doc; char *profiling; long securityPrefs; + int securityPrefsSet; } xsl_object; void php_xsl_set_object(zval *wrapper, void *obj TSRMLS_DC); Added: php/php-src/branches/PHP_5_4/ext/xsl/tests/bug54446_with_ini.phpt =================================================================== --- php/php-src/branches/PHP_5_4/ext/xsl/tests/bug54446_with_ini.phpt (rev 0) +++ php/php-src/branches/PHP_5_4/ext/xsl/tests/bug54446_with_ini.phpt 2011-10-10 07:59:19 UTC (rev 317953) @@ -0,0 +1,135 @@ +--TEST-- +Bug #54446 (Arbitrary file creation via libxslt 'output' extension with php.ini setting) +--SKIPIF-- +<?php +if (!extension_loaded('xsl')) die("skip Extension XSL is required\n"); +?> +--FILE-- +<?php +include("prepare.inc"); + +$outputfile = dirname(__FILE__)."/bug54446test.txt"; +if (file_exists($outputfile)) { + unlink($outputfile); +} + +$sXsl = <<<EOT +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform" + xmlns:sax="http://icl.com/saxon" + extension-element-prefixes="sax"> + + <xsl:template match="/"> + <sax:output href="$outputfile" method="text"> + <xsl:value-of select="'0wn3d via PHP and libxslt ...'"/> + </sax:output> + </xsl:template> + +</xsl:stylesheet> +EOT; + +$xsl->loadXML( $sXsl ); + +# START XSLT +$proc->importStylesheet( $xsl ); + +# TRASNFORM & PRINT +print $proc->transformToXML( $dom ); + + +if (file_exists($outputfile)) { + print "$outputfile exists, but shouldn't!\n"; +} else { + print "OK, no file created\n"; +} + +#SET NO SECURITY PREFS +ini_set("xsl.security_prefs", XSL_SECPREF_NONE); + +# TRASNFORM & PRINT +print $proc->transformToXML( $dom ); + + +if (file_exists($outputfile)) { + print "OK, file exists\n"; +} else { + print "$outputfile doesn't exist, but should!\n"; +} + +unlink($outputfile); + +#SET SECURITY PREFS AGAIN +ini_set("xsl.security_prefs", XSL_SECPREF_WRITE_FILE | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY); + +# TRASNFORM & PRINT +print $proc->transformToXML( $dom ); + +if (file_exists($outputfile)) { + print "$outputfile exists, but shouldn't!\n"; +} else { + print "OK, no file created\n"; +} + +#SET NO SECURITY PREFS with ini, but set them with ->setSecurityPrefs +ini_set("xsl.security_prefs", XSL_SECPREF_NONE); +$proc->setSecurityPrefs( XSL_SECPREF_WRITE_FILE | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY); + +print $proc->transformToXML( $dom ); +if (file_exists($outputfile)) { + print "$outputfile exists, but shouldn't!\n"; +} else { + print "OK, no file created\n"; +} + +#don't throw a warning if both ini and through-the-method have the same value +$proc->setSecurityPrefs(XSL_SECPREF_NONE); + +print $proc->transformToXML( $dom ); + +if (file_exists($outputfile)) { + print "OK, file exists\n"; +} else { + print "$outputfile doesn't exist, but should!\n"; +} +unlink($outputfile); + + + +--EXPECTF-- +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d + +Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s + +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d + +Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d +OK, no file created + +Deprecated: XSLTProcessor::transformToXml(): The xsl.security_prefs php.ini option is deprecated; use XsltProcessor->setSecurityPrefs() instead in %s on line %d +OK, file exists + +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d + +Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s + +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d + +Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d +OK, no file created + +Deprecated: XSLTProcessor::transformToXml(): The xsl.security_prefs php.ini option is deprecated; use XsltProcessor->setSecurityPrefs() instead in %s on line %d + +Notice: XSLTProcessor::transformToXml(): The xsl.security_prefs php.ini was not used, since the XsltProcessor->setSecurityPrefs() method was used in %s on line %d + +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d + +Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s + +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d + +Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d +OK, no file created +OK, file exists +--CREDITS-- +Christian Stocker, chr...@php.net + Modified: php/php-src/branches/PHP_5_4/ext/xsl/xsltprocessor.c =================================================================== --- php/php-src/branches/PHP_5_4/ext/xsl/xsltprocessor.c 2011-10-10 05:33:29 UTC (rev 317952) +++ php/php-src/branches/PHP_5_4/ext/xsl/xsltprocessor.c 2011-10-10 07:59:19 UTC (rev 317953) @@ -487,6 +487,7 @@ zend_object_handlers *std_hnd; FILE *f; int secPrefsError = 0; + int secPrefsValue, secPrefsIni; xsltSecurityPrefsPtr secPrefs = NULL; node = php_libxml_import_node(docp TSRMLS_CC); @@ -544,31 +545,49 @@ } efree(member); + secPrefsValue = intern->securityPrefs; - //if securityPrefs is set to NONE, we don't have to do any checks, but otherwise... - if (intern->securityPrefs != XSL_SECPREF_NONE) { + /* This whole if block can be removed, when we remove the xsl.security_prefs php.ini option in PHP 6+ */ + secPrefsIni= INI_INT("xsl.security_prefs"); + /* if secPrefsIni has the same value as secPrefsValue, all is fine */ + if (secPrefsIni != secPrefsValue) { + if (secPrefsIni != XSL_SECPREF_DEFAULT) { + /* if the ini value is not set to the default, throw an E_DEPRECATED warning */ + php_error_docref(NULL TSRMLS_CC, E_DEPRECATED, "The xsl.security_prefs php.ini option is deprecated; use XsltProcessor->setSecurityPrefs() instead"); + if (intern->securityPrefsSet == 0) { + /* if securityPrefs were not set through the setSecurityPrefs method, take the ini setting */ + secPrefsValue = secPrefsIni; + } else { + /* else throw a notice, that the ini setting was not used */ + php_error_docref(NULL TSRMLS_CC, E_NOTICE, "The xsl.security_prefs php.ini was not used, since the XsltProcessor->setSecurityPrefs() method was used"); + } + } + } + + /* if securityPrefs is set to NONE, we don't have to do any checks, but otherwise... */ + if (secPrefsValue != XSL_SECPREF_NONE) { secPrefs = xsltNewSecurityPrefs(); - if (intern->securityPrefs & XSL_SECPREF_READ_FILE ) { + if (secPrefsValue & XSL_SECPREF_READ_FILE ) { if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid)) { secPrefsError = 1; } } - if (intern->securityPrefs & XSL_SECPREF_WRITE_FILE ) { + if (secPrefsValue & XSL_SECPREF_WRITE_FILE ) { if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid)) { secPrefsError = 1; } } - if (intern->securityPrefs & XSL_SECPREF_CREATE_DIRECTORY ) { + if (secPrefsValue & XSL_SECPREF_CREATE_DIRECTORY ) { if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid)) { secPrefsError = 1; } } - if (intern->securityPrefs & XSL_SECPREF_READ_NETWORK) { + if (secPrefsValue & XSL_SECPREF_READ_NETWORK) { if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid)) { secPrefsError = 1; } } - if (intern->securityPrefs & XSL_SECPREF_WRITE_NETWORK) { + if (secPrefsValue & XSL_SECPREF_WRITE_NETWORK) { if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid)) { secPrefsError = 1; } @@ -927,6 +946,8 @@ intern = (xsl_object *)zend_object_store_get_object(id TSRMLS_CC); oldSecurityPrefs = intern->securityPrefs; intern->securityPrefs = securityPrefs; + /* set this to 1 so that we know, it was set through this method. Can be removed, when we remove the ini setting */ + intern->securityPrefsSet = 1; RETURN_LONG(oldSecurityPrefs); } /* }}} end xsl_xsltprocessor_set_security_prefs */ Modified: php/php-src/trunk/ext/xsl/php_xsl.c =================================================================== --- php/php-src/trunk/ext/xsl/php_xsl.c 2011-10-10 05:33:29 UTC (rev 317952) +++ php/php-src/trunk/ext/xsl/php_xsl.c 2011-10-10 07:59:19 UTC (rev 317953) @@ -126,7 +126,8 @@ intern->node_list = NULL; intern->doc = NULL; intern->profiling = NULL; - intern->securityPrefs = XSL_SECPREF_WRITE_FILE | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY; + intern->securityPrefs = XSL_SECPREF_DEFAULT; + intern->securityPrefsSet = 0; zend_object_std_init(&intern->std, class_type TSRMLS_CC); object_properties_init(&intern->std, class_type); @@ -141,6 +142,13 @@ } /* }}} */ +PHP_INI_BEGIN() +/* Default is not allowing any write operations. + XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_WRITE_FILE == 44 +*/ +PHP_INI_ENTRY("xsl.security_prefs", "44", PHP_INI_ALL, NULL) +PHP_INI_END() + /* {{{ PHP_MINIT_FUNCTION */ PHP_MINIT_FUNCTION(xsl) @@ -173,6 +181,7 @@ REGISTER_LONG_CONSTANT("XSL_SECPREF_CREATE_DIRECTORY", XSL_SECPREF_CREATE_DIRECTORY, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_NETWORK", XSL_SECPREF_READ_NETWORK, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_NETWORK", XSL_SECPREF_WRITE_NETWORK, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("XSL_SECPREF_DEFAULT", XSL_SECPREF_DEFAULT, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("LIBXSLT_VERSION", LIBXSLT_VERSION, CONST_CS | CONST_PERSISTENT); REGISTER_STRING_CONSTANT("LIBXSLT_DOTTED_VERSION", LIBXSLT_DOTTED_VERSION, CONST_CS | CONST_PERSISTENT); @@ -182,6 +191,8 @@ REGISTER_STRING_CONSTANT("LIBEXSLT_DOTTED_VERSION", LIBEXSLT_DOTTED_VERSION, CONST_CS | CONST_PERSISTENT); #endif + REGISTER_INI_ENTRIES(); + return SUCCESS; } /* }}} */ @@ -265,6 +276,8 @@ xsltCleanupGlobals(); + UNREGISTER_INI_ENTRIES(); + return SUCCESS; } /* }}} */ Modified: php/php-src/trunk/ext/xsl/php_xsl.h =================================================================== --- php/php-src/trunk/ext/xsl/php_xsl.h 2011-10-10 05:33:29 UTC (rev 317952) +++ php/php-src/trunk/ext/xsl/php_xsl.h 2011-10-10 07:59:19 UTC (rev 317953) @@ -50,6 +50,8 @@ #define XSL_SECPREF_CREATE_DIRECTORY 8 #define XSL_SECPREF_READ_NETWORK 16 #define XSL_SECPREF_WRITE_NETWORK 32 +/* Default == disable all write access == XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_FILE */ +#define XSL_SECPREF_DEFAULT 44 typedef struct _xsl_object { zend_object std; @@ -64,6 +66,7 @@ php_libxml_node_object *doc; char *profiling; long securityPrefs; + int securityPrefsSet; } xsl_object; void php_xsl_set_object(zval *wrapper, void *obj TSRMLS_DC); Added: php/php-src/trunk/ext/xsl/tests/bug54446_with_ini.phpt =================================================================== --- php/php-src/trunk/ext/xsl/tests/bug54446_with_ini.phpt (rev 0) +++ php/php-src/trunk/ext/xsl/tests/bug54446_with_ini.phpt 2011-10-10 07:59:19 UTC (rev 317953) @@ -0,0 +1,135 @@ +--TEST-- +Bug #54446 (Arbitrary file creation via libxslt 'output' extension with php.ini setting) +--SKIPIF-- +<?php +if (!extension_loaded('xsl')) die("skip Extension XSL is required\n"); +?> +--FILE-- +<?php +include("prepare.inc"); + +$outputfile = dirname(__FILE__)."/bug54446test.txt"; +if (file_exists($outputfile)) { + unlink($outputfile); +} + +$sXsl = <<<EOT +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform" + xmlns:sax="http://icl.com/saxon" + extension-element-prefixes="sax"> + + <xsl:template match="/"> + <sax:output href="$outputfile" method="text"> + <xsl:value-of select="'0wn3d via PHP and libxslt ...'"/> + </sax:output> + </xsl:template> + +</xsl:stylesheet> +EOT; + +$xsl->loadXML( $sXsl ); + +# START XSLT +$proc->importStylesheet( $xsl ); + +# TRASNFORM & PRINT +print $proc->transformToXML( $dom ); + + +if (file_exists($outputfile)) { + print "$outputfile exists, but shouldn't!\n"; +} else { + print "OK, no file created\n"; +} + +#SET NO SECURITY PREFS +ini_set("xsl.security_prefs", XSL_SECPREF_NONE); + +# TRASNFORM & PRINT +print $proc->transformToXML( $dom ); + + +if (file_exists($outputfile)) { + print "OK, file exists\n"; +} else { + print "$outputfile doesn't exist, but should!\n"; +} + +unlink($outputfile); + +#SET SECURITY PREFS AGAIN +ini_set("xsl.security_prefs", XSL_SECPREF_WRITE_FILE | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY); + +# TRASNFORM & PRINT +print $proc->transformToXML( $dom ); + +if (file_exists($outputfile)) { + print "$outputfile exists, but shouldn't!\n"; +} else { + print "OK, no file created\n"; +} + +#SET NO SECURITY PREFS with ini, but set them with ->setSecurityPrefs +ini_set("xsl.security_prefs", XSL_SECPREF_NONE); +$proc->setSecurityPrefs( XSL_SECPREF_WRITE_FILE | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY); + +print $proc->transformToXML( $dom ); +if (file_exists($outputfile)) { + print "$outputfile exists, but shouldn't!\n"; +} else { + print "OK, no file created\n"; +} + +#don't throw a warning if both ini and through-the-method have the same value +$proc->setSecurityPrefs(XSL_SECPREF_NONE); + +print $proc->transformToXML( $dom ); + +if (file_exists($outputfile)) { + print "OK, file exists\n"; +} else { + print "$outputfile doesn't exist, but should!\n"; +} +unlink($outputfile); + + + +--EXPECTF-- +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d + +Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s + +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d + +Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d +OK, no file created + +Deprecated: XSLTProcessor::transformToXml(): The xsl.security_prefs php.ini option is deprecated; use XsltProcessor->setSecurityPrefs() instead in %s on line %d +OK, file exists + +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d + +Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s + +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d + +Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d +OK, no file created + +Deprecated: XSLTProcessor::transformToXml(): The xsl.security_prefs php.ini option is deprecated; use XsltProcessor->setSecurityPrefs() instead in %s on line %d + +Notice: XSLTProcessor::transformToXml(): The xsl.security_prefs php.ini was not used, since the XsltProcessor->setSecurityPrefs() method was used in %s on line %d + +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d + +Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s + +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d + +Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d +OK, no file created +OK, file exists +--CREDITS-- +Christian Stocker, chr...@php.net + Modified: php/php-src/trunk/ext/xsl/xsltprocessor.c =================================================================== --- php/php-src/trunk/ext/xsl/xsltprocessor.c 2011-10-10 05:33:29 UTC (rev 317952) +++ php/php-src/trunk/ext/xsl/xsltprocessor.c 2011-10-10 07:59:19 UTC (rev 317953) @@ -487,6 +487,7 @@ zend_object_handlers *std_hnd; FILE *f; int secPrefsError = 0; + int secPrefsValue, secPrefsIni; xsltSecurityPrefsPtr secPrefs = NULL; node = php_libxml_import_node(docp TSRMLS_CC); @@ -544,31 +545,49 @@ } efree(member); + secPrefsValue = intern->securityPrefs; - //if securityPrefs is set to NONE, we don't have to do any checks, but otherwise... - if (intern->securityPrefs != XSL_SECPREF_NONE) { + /* This whole if block can be removed, when we remove the xsl.security_prefs php.ini option in PHP 6+ */ + secPrefsIni= INI_INT("xsl.security_prefs"); + /* if secPrefsIni has the same value as secPrefsValue, all is fine */ + if (secPrefsIni != secPrefsValue) { + if (secPrefsIni != XSL_SECPREF_DEFAULT) { + /* if the ini value is not set to the default, throw an E_DEPRECATED warning */ + php_error_docref(NULL TSRMLS_CC, E_DEPRECATED, "The xsl.security_prefs php.ini option is deprecated; use XsltProcessor->setSecurityPrefs() instead"); + if (intern->securityPrefsSet == 0) { + /* if securityPrefs were not set through the setSecurityPrefs method, take the ini setting */ + secPrefsValue = secPrefsIni; + } else { + /* else throw a notice, that the ini setting was not used */ + php_error_docref(NULL TSRMLS_CC, E_NOTICE, "The xsl.security_prefs php.ini was not used, since the XsltProcessor->setSecurityPrefs() method was used"); + } + } + } + + /* if securityPrefs is set to NONE, we don't have to do any checks, but otherwise... */ + if (secPrefsValue != XSL_SECPREF_NONE) { secPrefs = xsltNewSecurityPrefs(); - if (intern->securityPrefs & XSL_SECPREF_READ_FILE ) { + if (secPrefsValue & XSL_SECPREF_READ_FILE ) { if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid)) { secPrefsError = 1; } } - if (intern->securityPrefs & XSL_SECPREF_WRITE_FILE ) { + if (secPrefsValue & XSL_SECPREF_WRITE_FILE ) { if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid)) { secPrefsError = 1; } } - if (intern->securityPrefs & XSL_SECPREF_CREATE_DIRECTORY ) { + if (secPrefsValue & XSL_SECPREF_CREATE_DIRECTORY ) { if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid)) { secPrefsError = 1; } } - if (intern->securityPrefs & XSL_SECPREF_READ_NETWORK) { + if (secPrefsValue & XSL_SECPREF_READ_NETWORK) { if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid)) { secPrefsError = 1; } } - if (intern->securityPrefs & XSL_SECPREF_WRITE_NETWORK) { + if (secPrefsValue & XSL_SECPREF_WRITE_NETWORK) { if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid)) { secPrefsError = 1; } @@ -927,6 +946,8 @@ intern = (xsl_object *)zend_object_store_get_object(id TSRMLS_CC); oldSecurityPrefs = intern->securityPrefs; intern->securityPrefs = securityPrefs; + /* set this to 1 so that we know, it was set through this method. Can be removed, when we remove the ini setting */ + intern->securityPrefsSet = 1; RETURN_LONG(oldSecurityPrefs); } /* }}} end xsl_xsltprocessor_set_security_prefs */
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php