Re: [PHP-CVS] svn: /php/php-src/branches/PHP_5_3/ NEWS ext/xsl/php_xsl.c ext/xsl/php_xsl.h ext/xsl/xsltprocessor.c
Fixed chregu On 06.10.11 16:31, Hannes Magnusson wrote: > On Wed, Oct 5, 2011 at 11:56, Christian Stocker wrote: >> chregu Wed, 05 Oct 2011 09:56:01 + >> >> Revision: http://svn.php.net/viewvc?view=revision&revision=317759 >> >> Log: >> Added xsl.security_prefs ini option to define forbidden operations within >> XSLT >> stylesheets, default is not to enable write operations. This option won't be >> in 5.4, since there's a new method. Bug #54446 >> >> Bug: https://bugs.php.net/54446 (To be documented) Arbitrary file creation >> via libxslt 'output' extension >> >> Changed paths: >>U php/php-src/branches/PHP_5_3/NEWS >>U php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c >>U php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.h >>U php/php-src/branches/PHP_5_3/ext/xsl/xsltprocessor.c >> >> Modified: php/php-src/branches/PHP_5_3/NEWS >> === >> --- php/php-src/branches/PHP_5_3/NEWS 2011-10-05 09:51:08 UTC (rev 317758) >> +++ php/php-src/branches/PHP_5_3/NEWS 2011-10-05 09:56:01 UTC (rev 317759) >> @@ -90,7 +90,13 @@ >> - SPL: >> . Fixed bug #55807 (Wrong value for splFileObject::SKIP_EMPTY). >> (jgotti at modedemploi dot fr, Hannes) >> + >> +- XSL: >> + . Added xsl.security_prefs ini option to define forbidden operations >> within XSLT >> +stylesheets, default is not to enable write operations. This option >> won't be >> +in 5.4, since there's a new method. Bug #54446 (Chregu, Nicolas >> Gregoire) >> >> + >> 23 Aug 2011, PHP 5.3.8 >> >> - Core: >> >> Modified: php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c >> === >> --- php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c 2011-10-05 09:51:08 >> UTC (rev 317758) >> +++ php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c 2011-10-05 09:56:01 >> UTC (rev 317759) >> @@ -141,6 +141,11 @@ >> } >> /* }}} */ >> >> +PHP_INI_BEGIN() >> +//XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK | >> XSL_SECPREF_WRITE_FILE == 44 >> +PHP_INI_ENTRY("xsl.security_prefs", "44", PHP_INI_ALL, NULL) >> +PHP_INI_END() > > > // comments are not allowed :) > And please add this option to the php.ini-* files, with similar note > as the news entry. > > -Hannes -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] svn: /php/php-src/branches/PHP_5_3/ NEWS ext/xsl/php_xsl.c ext/xsl/php_xsl.h ext/xsl/xsltprocessor.c
On Wed, Oct 5, 2011 at 11:56, Christian Stocker wrote: > chregu Wed, 05 Oct 2011 09:56:01 + > > Revision: http://svn.php.net/viewvc?view=revision&revision=317759 > > Log: > Added xsl.security_prefs ini option to define forbidden operations within XSLT > stylesheets, default is not to enable write operations. This option won't be > in 5.4, since there's a new method. Bug #54446 > > Bug: https://bugs.php.net/54446 (To be documented) Arbitrary file creation > via libxslt 'output' extension > > Changed paths: > U php/php-src/branches/PHP_5_3/NEWS > U php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c > U php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.h > U php/php-src/branches/PHP_5_3/ext/xsl/xsltprocessor.c > > Modified: php/php-src/branches/PHP_5_3/NEWS > === > --- php/php-src/branches/PHP_5_3/NEWS 2011-10-05 09:51:08 UTC (rev 317758) > +++ php/php-src/branches/PHP_5_3/NEWS 2011-10-05 09:56:01 UTC (rev 317759) > @@ -90,7 +90,13 @@ > - SPL: > . Fixed bug #55807 (Wrong value for splFileObject::SKIP_EMPTY). > (jgotti at modedemploi dot fr, Hannes) > + > +- XSL: > + . Added xsl.security_prefs ini option to define forbidden operations > within XSLT > + stylesheets, default is not to enable write operations. This option > won't be > + in 5.4, since there's a new method. Bug #54446 (Chregu, Nicolas Gregoire) > > + > 23 Aug 2011, PHP 5.3.8 > > - Core: > > Modified: php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c > === > --- php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c 2011-10-05 09:51:08 > UTC (rev 317758) > +++ php/php-src/branches/PHP_5_3/ext/xsl/php_xsl.c 2011-10-05 09:56:01 > UTC (rev 317759) > @@ -141,6 +141,11 @@ > } > /* }}} */ > > +PHP_INI_BEGIN() > +//XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK > | XSL_SECPREF_WRITE_FILE == 44 > +PHP_INI_ENTRY("xsl.security_prefs", "44", PHP_INI_ALL, NULL) > +PHP_INI_END() // comments are not allowed :) And please add this option to the php.ini-* files, with similar note as the news entry. -Hannes -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php