/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2012-0057.patch
ViewVC logotype

Annotation of /rpms/php/sme8/php-5.3.3-CVE-2012-0057.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1.2.1 - (hide annotations) (download)
Fri Jun 29 14:45:08 2012 UTC (12 years, 5 months ago) by slords
Branch: redhat-upstream
CVS Tags: php-5_3_3-13_el5_9_1, php-5_3_3-13_el6
Changes since 1.1: +397 -0 lines
Upstream import

1 slords 1.1.2.1
2     https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0057
3    
4     http://git.php.net/?p=php-src.git;a=commitdiff;h=b2287a42a0dfd8fe392051d8f25531051cd86322
5     http://git.php.net/?p=php-src.git;a=commitdiff;h=192511f75d915c723384da17b6ca265971727132
6     http://git.php.net/?p=php-src.git;a=commitdiff;h=c9b5d92821db7335632f8578871e2b75ac018f2a
7     http://git.php.net/?p=php-src.git;a=commitdiff;h=777a29fce22a741fedb69c83c3e7c2129372ee0e
8    
9     --- php-5.3.3/ext/xsl/php_xsl.c.cve0057
10     +++ php-5.3.3/ext/xsl/php_xsl.c
11     @@ -141,6 +141,13 @@ zend_object_value xsl_objects_new(zend_c
12     }
13     /* }}} */
14    
15     +PHP_INI_BEGIN()
16     +/* Default is not allowing any write operations.
17     + XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_WRITE_FILE == 44
18     +*/
19     +PHP_INI_ENTRY("xsl.security_prefs", "44", PHP_INI_ALL, NULL)
20     +PHP_INI_END()
21     +
22     /* {{{ PHP_MINIT_FUNCTION
23     */
24     PHP_MINIT_FUNCTION(xsl)
25     @@ -167,6 +174,14 @@ PHP_MINIT_FUNCTION(xsl)
26     REGISTER_LONG_CONSTANT("XSL_CLONE_NEVER", -1, CONST_CS | CONST_PERSISTENT);
27     REGISTER_LONG_CONSTANT("XSL_CLONE_ALWAYS", 1, CONST_CS | CONST_PERSISTENT);
28    
29     + REGISTER_LONG_CONSTANT("XSL_SECPREF_NONE", XSL_SECPREF_NONE, CONST_CS | CONST_PERSISTENT);
30     + REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_FILE", XSL_SECPREF_READ_FILE, CONST_CS | CONST_PERSISTENT);
31     + REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_FILE", XSL_SECPREF_WRITE_FILE, CONST_CS | CONST_PERSISTENT);
32     + REGISTER_LONG_CONSTANT("XSL_SECPREF_CREATE_DIRECTORY", XSL_SECPREF_CREATE_DIRECTORY, CONST_CS | CONST_PERSISTENT);
33     + REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_NETWORK", XSL_SECPREF_READ_NETWORK, CONST_CS | CONST_PERSISTENT);
34     + REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_NETWORK", XSL_SECPREF_WRITE_NETWORK, CONST_CS | CONST_PERSISTENT);
35     + REGISTER_LONG_CONSTANT("XSL_SECPREF_DEFAULT", XSL_SECPREF_DEFAULT, CONST_CS | CONST_PERSISTENT);
36     +
37     REGISTER_LONG_CONSTANT("LIBXSLT_VERSION", LIBXSLT_VERSION, CONST_CS | CONST_PERSISTENT);
38     REGISTER_STRING_CONSTANT("LIBXSLT_DOTTED_VERSION", LIBXSLT_DOTTED_VERSION, CONST_CS | CONST_PERSISTENT);
39    
40     @@ -175,6 +190,8 @@ PHP_MINIT_FUNCTION(xsl)
41     REGISTER_STRING_CONSTANT("LIBEXSLT_DOTTED_VERSION", LIBEXSLT_DOTTED_VERSION, CONST_CS | CONST_PERSISTENT);
42     #endif
43    
44     + REGISTER_INI_ENTRIES();
45     +
46     return SUCCESS;
47     }
48     /* }}} */
49     @@ -258,6 +275,8 @@ PHP_MSHUTDOWN_FUNCTION(xsl)
50    
51     xsltCleanupGlobals();
52    
53     + UNREGISTER_INI_ENTRIES();
54     +
55     return SUCCESS;
56     }
57     /* }}} */
58     --- php-5.3.3/ext/xsl/php_xsl.h.cve0057
59     +++ php-5.3.3/ext/xsl/php_xsl.h
60     @@ -32,6 +32,7 @@ extern zend_module_entry xsl_module_entr
61     #include <libxslt/xsltInternals.h>
62     #include <libxslt/xsltutils.h>
63     #include <libxslt/transform.h>
64     +#include <libxslt/security.h>
65     #if HAVE_XSL_EXSLT
66     #include <libexslt/exslt.h>
67     #include <libexslt/exsltconfig.h>
68     @@ -43,6 +44,15 @@ extern zend_module_entry xsl_module_entr
69     #include <libxslt/extensions.h>
70     #include <libxml/xpathInternals.h>
71    
72     +#define XSL_SECPREF_NONE 0
73     +#define XSL_SECPREF_READ_FILE 2
74     +#define XSL_SECPREF_WRITE_FILE 4
75     +#define XSL_SECPREF_CREATE_DIRECTORY 8
76     +#define XSL_SECPREF_READ_NETWORK 16
77     +#define XSL_SECPREF_WRITE_NETWORK 32
78     +/* Default == disable all write access == XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_FILE */
79     +#define XSL_SECPREF_DEFAULT 44
80     +
81     typedef struct _xsl_object {
82     zend_object std;
83     void *ptr;
84     --- php-5.3.3/ext/xsl/tests/bug54446.phpt.cve0057
85     +++ php-5.3.3/ext/xsl/tests/bug54446.phpt
86     @@ -0,0 +1,95 @@
87     +--TEST--
88     +Bug #54446 (Arbitrary file creation via libxslt 'output' extension)
89     +--SKIPIF--
90     +<?php
91     +if (!extension_loaded('xsl')) die("skip Extension XSL is required\n");
92     +?>
93     +--FILE--
94     +<?php
95     +include("prepare.inc");
96     +
97     +$outputfile = dirname(__FILE__)."/bug54446test.txt";
98     +if (file_exists($outputfile)) {
99     + unlink($outputfile);
100     +}
101     +
102     +$sXsl = <<<EOT
103     +<xsl:stylesheet version="1.0"
104     + xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
105     + xmlns:sax="http://icl.com/saxon"
106     + extension-element-prefixes="sax">
107     +
108     + <xsl:template match="/">
109     + <sax:output href="$outputfile" method="text">
110     + <xsl:value-of select="'0wn3d via PHP and libxslt ...'"/>
111     + </sax:output>
112     + </xsl:template>
113     +
114     +</xsl:stylesheet>
115     +EOT;
116     +
117     +$xsl->loadXML( $sXsl );
118     +
119     +# START XSLT
120     +$proc->importStylesheet( $xsl );
121     +
122     +# TRASNFORM & PRINT
123     +print $proc->transformToXML( $dom );
124     +
125     +
126     +if (file_exists($outputfile)) {
127     + print "$outputfile exists, but shouldn't!\n";
128     +} else {
129     + print "OK, no file created\n";
130     +}
131     +
132     +#SET NO SECURITY PREFS
133     +ini_set("xsl.security_prefs", XSL_SECPREF_NONE);
134     +
135     +# TRASNFORM & PRINT
136     +print $proc->transformToXML( $dom );
137     +
138     +
139     +if (file_exists($outputfile)) {
140     + print "OK, file exists\n";
141     +} else {
142     + print "$outputfile doesn't exist, but should!\n";
143     +}
144     +
145     +unlink($outputfile);
146     +
147     +#SET SECURITY PREFS AGAIN
148     +ini_set("xsl.security_prefs", XSL_SECPREF_WRITE_FILE | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY);
149     +
150     +# TRASNFORM & PRINT
151     +print $proc->transformToXML( $dom );
152     +
153     +if (file_exists($outputfile)) {
154     + print "$outputfile exists, but shouldn't!\n";
155     +} else {
156     + print "OK, no file created\n";
157     +}
158     +
159     +
160     +--EXPECTF--
161     +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
162     +
163     +Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
164     +
165     +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
166     +
167     +Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
168     +OK, no file created
169     +OK, file exists
170     +
171     +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
172     +
173     +Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
174     +
175     +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
176     +
177     +Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
178     +OK, no file created
179     +--CREDITS--
180     +Christian Stocker, chregu@php.net
181     +
182     --- php-5.3.3/ext/xsl/tests/bug54446_with_ini.phpt.cve0057
183     +++ php-5.3.3/ext/xsl/tests/bug54446_with_ini.phpt
184     @@ -0,0 +1,95 @@
185     +--TEST--
186     +Bug #54446 (Arbitrary file creation via libxslt 'output' extension with php.ini setting)
187     +--SKIPIF--
188     +<?php
189     +if (!extension_loaded('xsl')) die("skip Extension XSL is required\n");
190     +?>
191     +--FILE--
192     +<?php
193     +include("prepare.inc");
194     +
195     +$outputfile = dirname(__FILE__)."/bug54446test.txt";
196     +if (file_exists($outputfile)) {
197     + unlink($outputfile);
198     +}
199     +
200     +$sXsl = <<<EOT
201     +<xsl:stylesheet version="1.0"
202     + xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
203     + xmlns:sax="http://icl.com/saxon"
204     + extension-element-prefixes="sax">
205     +
206     + <xsl:template match="/">
207     + <sax:output href="$outputfile" method="text">
208     + <xsl:value-of select="'0wn3d via PHP and libxslt ...'"/>
209     + </sax:output>
210     + </xsl:template>
211     +
212     +</xsl:stylesheet>
213     +EOT;
214     +
215     +$xsl->loadXML( $sXsl );
216     +
217     +# START XSLT
218     +$proc->importStylesheet( $xsl );
219     +
220     +# TRASNFORM & PRINT
221     +print $proc->transformToXML( $dom );
222     +
223     +
224     +if (file_exists($outputfile)) {
225     + print "$outputfile exists, but shouldn't!\n";
226     +} else {
227     + print "OK, no file created\n";
228     +}
229     +
230     +#SET NO SECURITY PREFS
231     +ini_set("xsl.security_prefs", XSL_SECPREF_NONE);
232     +
233     +# TRASNFORM & PRINT
234     +print $proc->transformToXML( $dom );
235     +
236     +
237     +if (file_exists($outputfile)) {
238     + print "OK, file exists\n";
239     +} else {
240     + print "$outputfile doesn't exist, but should!\n";
241     +}
242     +
243     +unlink($outputfile);
244     +
245     +#SET SECURITY PREFS AGAIN
246     +ini_set("xsl.security_prefs", XSL_SECPREF_WRITE_FILE | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY);
247     +
248     +# TRASNFORM & PRINT
249     +print $proc->transformToXML( $dom );
250     +
251     +if (file_exists($outputfile)) {
252     + print "$outputfile exists, but shouldn't!\n";
253     +} else {
254     + print "OK, no file created\n";
255     +}
256     +
257     +
258     +--EXPECTF--
259     +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
260     +
261     +Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
262     +
263     +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
264     +
265     +Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
266     +OK, no file created
267     +OK, file exists
268     +
269     +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
270     +
271     +Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
272     +
273     +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
274     +
275     +Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
276     +OK, no file created
277     +--CREDITS--
278     +Christian Stocker, chregu@php.net
279     +
280     --- php-5.3.3/ext/xsl/xsltprocessor.c.cve0057
281     +++ php-5.3.3/ext/xsl/xsltprocessor.c
282     @@ -475,6 +475,9 @@ static xmlDocPtr php_xsl_apply_styleshee
283     zval *doXInclude, *member;
284     zend_object_handlers *std_hnd;
285     FILE *f;
286     + int secPrefsError = 0;
287     + int secPrefsValue;
288     + xsltSecurityPrefsPtr secPrefs = NULL;
289    
290     node = php_libxml_import_node(docp TSRMLS_CC);
291    
292     @@ -531,11 +534,56 @@ static xmlDocPtr php_xsl_apply_styleshee
293     }
294     efree(member);
295    
296     - newdocp = xsltApplyStylesheetUser(style, doc, (const char**) params, NULL, f, ctxt);
297     +
298     + secPrefsValue = INI_INT("xsl.security_prefs");
299     +
300     + /* if securityPrefs is set to NONE, we don't have to do any checks, but otherwise... */
301     + if (secPrefsValue != XSL_SECPREF_NONE) {
302     + secPrefs = xsltNewSecurityPrefs();
303     + if (secPrefsValue & XSL_SECPREF_READ_FILE ) {
304     + if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid)) {
305     + secPrefsError = 1;
306     + }
307     + }
308     + if (secPrefsValue & XSL_SECPREF_WRITE_FILE ) {
309     + if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid)) {
310     + secPrefsError = 1;
311     + }
312     + }
313     + if (secPrefsValue & XSL_SECPREF_CREATE_DIRECTORY ) {
314     + if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid)) {
315     + secPrefsError = 1;
316     + }
317     + }
318     + if (secPrefsValue & XSL_SECPREF_READ_NETWORK) {
319     + if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid)) {
320     + secPrefsError = 1;
321     + }
322     + }
323     + if (secPrefsValue & XSL_SECPREF_WRITE_NETWORK) {
324     + if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid)) {
325     + secPrefsError = 1;
326     + }
327     + }
328     +
329     + if (0 != xsltSetCtxtSecurityPrefs(secPrefs, ctxt)) {
330     + secPrefsError = 1;
331     + }
332     + }
333     +
334     + if (secPrefsError == 1) {
335     + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Can't set libxslt security properties, not doing transformation for security reasons");
336     + } else {
337     + newdocp = xsltApplyStylesheetUser(style, doc, (const char**) params, NULL, f, ctxt);
338     + }
339     if (f) {
340     fclose(f);
341     }
342     +
343     xsltFreeTransformContext(ctxt);
344     + if (secPrefs) {
345     + xsltFreeSecurityPrefs(secPrefs);
346     + }
347    
348     if (intern->node_list != NULL) {
349     zend_hash_destroy(intern->node_list);
350     --- php-5.3.3/php.ini-development.cve0057
351     +++ php-5.3.3/php.ini-development
352     @@ -1890,6 +1890,12 @@ ldap.max_links = -1
353     [dba]
354     ;dba.default_handler=
355    
356     +[xsl]
357     +; Write operations from within XSLT are disabled by default.
358     +; XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_WRITE_FILE = 44
359     +; Set it to 0 to allow all operations
360     +;xsl.security_prefs = 44
361     +
362     ; Local Variables:
363     ; tab-width: 4
364     ; End:
365     --- php-5.3.3/php.ini-production.cve0057
366     +++ php-5.3.3/php.ini-production
367     @@ -1897,6 +1897,12 @@ ldap.max_links = -1
368     [dba]
369     ;dba.default_handler=
370    
371     +[xsl]
372     +; Write operations from within XSLT are disabled by default.
373     +; XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_WRITE_FILE = 44
374     +; Set it to 0 to allow all operations
375     +;xsl.security_prefs = 44
376     +
377     ; Local Variables:
378     ; tab-width: 4
379     ; End:
380     --- php-5.3.3/UPGRADING.cve0057
381     +++ php-5.3.3/UPGRADING
382     @@ -150,6 +150,15 @@ UPGRADE NOTES - PHP 5.3
383    
384     - SplObjectStorage now has ArrayAccess support. It is also now possible to
385     store associative information with objects in SplObjectStorage.
386     +
387     +=====================
388     +4.1 New in PHP 5.3.9
389     +=====================
390     +
391     +- Write operations within XSLT (for example with the extension sax:output) are
392     + disabled by default. You can define what is forbidden with the INI option
393     + xsl.security_prefs. This option will be marked as deprecated in 5.4 again.
394     + Use the method XsltProcess::setSecurityPrefs($options) there.
395    
396     =============
397     5. Deprecated

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed