php/sme8/php-5.3.3-CVE-2012-0057.patch


https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0057

http://git.php.net/?p=php-src.git;a=commitdiff;h=b2287a42a0dfd8fe392051d8f25531051cd86322
http://git.php.net/?p=php-src.git;a=commitdiff;h=192511f75d915c723384da17b6ca265971727132
http://git.php.net/?p=php-src.git;a=commitdiff;h=c9b5d92821db7335632f8578871e2b75ac018f2a
http://git.php.net/?p=php-src.git;a=commitdiff;h=777a29fce22a741fedb69c83c3e7c2129372ee0e

--- php-5.3.3/ext/xsl/php_xsl.c.cve0057
+++ php-5.3.3/ext/xsl/php_xsl.c
@@ -141,6 +141,13 @@ zend_object_value xsl_objects_new(zend_c
 }
 /* }}} */
 
+PHP_INI_BEGIN()
+/* Default is not allowing any write operations. 
+   XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_WRITE_FILE == 44 
+*/
+PHP_INI_ENTRY("xsl.security_prefs", "44", PHP_INI_ALL, NULL)
+PHP_INI_END()
+
 /* {{{ PHP_MINIT_FUNCTION
  */
 PHP_MINIT_FUNCTION(xsl)
@@ -167,6 +174,14 @@ PHP_MINIT_FUNCTION(xsl)
        REGISTER_LONG_CONSTANT("XSL_CLONE_NEVER",    -1,     CONST_CS | CONST_PERSISTENT);
        REGISTER_LONG_CONSTANT("XSL_CLONE_ALWAYS",    1,     CONST_CS | CONST_PERSISTENT);
 
+       REGISTER_LONG_CONSTANT("XSL_SECPREF_NONE",             XSL_SECPREF_NONE,             CONST_CS | CONST_PERSISTENT);
+       REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_FILE",        XSL_SECPREF_READ_FILE,        CONST_CS | CONST_PERSISTENT);
+       REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_FILE",       XSL_SECPREF_WRITE_FILE,       CONST_CS | CONST_PERSISTENT);
+       REGISTER_LONG_CONSTANT("XSL_SECPREF_CREATE_DIRECTORY", XSL_SECPREF_CREATE_DIRECTORY, CONST_CS | CONST_PERSISTENT);
+       REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_NETWORK",     XSL_SECPREF_READ_NETWORK,     CONST_CS | CONST_PERSISTENT);
+       REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_NETWORK",    XSL_SECPREF_WRITE_NETWORK,    CONST_CS | CONST_PERSISTENT);
+       REGISTER_LONG_CONSTANT("XSL_SECPREF_DEFAULT",          XSL_SECPREF_DEFAULT,          CONST_CS | CONST_PERSISTENT);
+
        REGISTER_LONG_CONSTANT("LIBXSLT_VERSION",           LIBXSLT_VERSION,            CONST_CS | CONST_PERSISTENT);
        REGISTER_STRING_CONSTANT("LIBXSLT_DOTTED_VERSION",  LIBXSLT_DOTTED_VERSION,     CONST_CS | CONST_PERSISTENT);
 
@@ -175,6 +190,8 @@ PHP_MINIT_FUNCTION(xsl)
        REGISTER_STRING_CONSTANT("LIBEXSLT_DOTTED_VERSION",  LIBEXSLT_DOTTED_VERSION,     CONST_CS | CONST_PERSISTENT);
 #endif
 
+    REGISTER_INI_ENTRIES();
+
        return SUCCESS;
 }
 /* }}} */
@@ -258,6 +275,8 @@ PHP_MSHUTDOWN_FUNCTION(xsl)
 
        xsltCleanupGlobals();
 
+       UNREGISTER_INI_ENTRIES();
+
        return SUCCESS;
 }
 /* }}} */
--- php-5.3.3/ext/xsl/php_xsl.h.cve0057
+++ php-5.3.3/ext/xsl/php_xsl.h
@@ -32,6 +32,7 @@ extern zend_module_entry xsl_module_entr
 #include <libxslt/xsltInternals.h>
 #include <libxslt/xsltutils.h>
 #include <libxslt/transform.h>
+#include <libxslt/security.h> 
 #if HAVE_XSL_EXSLT
 #include <libexslt/exslt.h>
 #include <libexslt/exsltconfig.h>
@@ -43,6 +44,15 @@ extern zend_module_entry xsl_module_entr
 #include <libxslt/extensions.h>
 #include <libxml/xpathInternals.h>
 
+#define XSL_SECPREF_NONE 0
+#define XSL_SECPREF_READ_FILE 2
+#define XSL_SECPREF_WRITE_FILE 4
+#define XSL_SECPREF_CREATE_DIRECTORY 8
+#define XSL_SECPREF_READ_NETWORK 16
+#define XSL_SECPREF_WRITE_NETWORK 32
+/* Default == disable all write access ==  XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_FILE */
+#define XSL_SECPREF_DEFAULT 44
+
 typedef struct _xsl_object {
        zend_object  std;
        void *ptr;
--- php-5.3.3/ext/xsl/tests/bug54446.phpt.cve0057
+++ php-5.3.3/ext/xsl/tests/bug54446.phpt
@@ -0,0 +1,95 @@
+--TEST--
+Bug #54446 (Arbitrary file creation via libxslt 'output' extension)
+--SKIPIF--
+<?php
+if (!extension_loaded('xsl')) die("skip Extension XSL is required\n");
+?>
+--FILE--
+<?php
+include("prepare.inc"); 
+
+$outputfile = dirname(__FILE__)."/bug54446test.txt";
+if (file_exists($outputfile)) {
+    unlink($outputfile);
+}
+
+$sXsl = <<<EOT
+<xsl:stylesheet version="1.0"
+       xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+       xmlns:sax="http://icl.com/saxon"
+       extension-element-prefixes="sax">
+
+       <xsl:template match="/">
+               <sax:output href="$outputfile" method="text">
+                       <xsl:value-of select="'0wn3d via PHP and libxslt ...'"/>
+               </sax:output>
+       </xsl:template>
+
+</xsl:stylesheet>
+EOT;
+
+$xsl->loadXML( $sXsl );
+
+# START XSLT 
+$proc->importStylesheet( $xsl ); 
+
+# TRASNFORM & PRINT 
+print $proc->transformToXML( $dom ); 
+
+
+if (file_exists($outputfile)) {
+    print "$outputfile exists, but shouldn't!\n";
+} else {
+    print "OK, no file created\n";
+}
+
+#SET NO SECURITY PREFS
+ini_set("xsl.security_prefs", XSL_SECPREF_NONE);
+
+# TRASNFORM & PRINT 
+print $proc->transformToXML( $dom ); 
+
+
+if (file_exists($outputfile)) {
+    print "OK, file exists\n";
+} else {
+    print "$outputfile doesn't exist, but should!\n";
+}
+
+unlink($outputfile);
+
+#SET SECURITY PREFS AGAIN
+ini_set("xsl.security_prefs", XSL_SECPREF_WRITE_FILE |  XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY);
+
+# TRASNFORM & PRINT 
+print $proc->transformToXML( $dom ); 
+
+if (file_exists($outputfile)) {
+    print "$outputfile exists, but shouldn't!\n";
+} else {
+    print "OK, no file created\n";
+}
+
+
+--EXPECTF--
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
+
+Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
+
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
+
+Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
+OK, no file created
+OK, file exists
+
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
+
+Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
+
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
+
+Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
+OK, no file created
+--CREDITS--
+Christian Stocker, chregu@php.net
+
--- php-5.3.3/ext/xsl/tests/bug54446_with_ini.phpt.cve0057
+++ php-5.3.3/ext/xsl/tests/bug54446_with_ini.phpt
@@ -0,0 +1,95 @@
+--TEST--
+Bug #54446 (Arbitrary file creation via libxslt 'output' extension with php.ini setting)
+--SKIPIF--
+<?php
+if (!extension_loaded('xsl')) die("skip Extension XSL is required\n");
+?>
+--FILE--
+<?php
+include("prepare.inc"); 
+
+$outputfile = dirname(__FILE__)."/bug54446test.txt";
+if (file_exists($outputfile)) {
+    unlink($outputfile);
+}
+
+$sXsl = <<<EOT
+<xsl:stylesheet version="1.0"
+       xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+       xmlns:sax="http://icl.com/saxon"
+       extension-element-prefixes="sax">
+
+       <xsl:template match="/">
+               <sax:output href="$outputfile" method="text">
+                       <xsl:value-of select="'0wn3d via PHP and libxslt ...'"/>
+               </sax:output>
+       </xsl:template>
+
+</xsl:stylesheet>
+EOT;
+
+$xsl->loadXML( $sXsl );
+
+# START XSLT 
+$proc->importStylesheet( $xsl ); 
+
+# TRASNFORM & PRINT 
+print $proc->transformToXML( $dom ); 
+
+
+if (file_exists($outputfile)) {
+    print "$outputfile exists, but shouldn't!\n";
+} else {
+    print "OK, no file created\n";
+}
+
+#SET NO SECURITY PREFS
+ini_set("xsl.security_prefs", XSL_SECPREF_NONE);
+
+# TRASNFORM & PRINT 
+print $proc->transformToXML( $dom ); 
+
+
+if (file_exists($outputfile)) {
+    print "OK, file exists\n";
+} else {
+    print "$outputfile doesn't exist, but should!\n";
+}
+
+unlink($outputfile);
+
+#SET SECURITY PREFS AGAIN
+ini_set("xsl.security_prefs", XSL_SECPREF_WRITE_FILE |  XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY);
+
+# TRASNFORM & PRINT 
+print $proc->transformToXML( $dom ); 
+
+if (file_exists($outputfile)) {
+    print "$outputfile exists, but shouldn't!\n";
+} else {
+    print "OK, no file created\n";
+}
+
+
+--EXPECTF--
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
+
+Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
+
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
+
+Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
+OK, no file created
+OK, file exists
+
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
+
+Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
+
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
+
+Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
+OK, no file created
+--CREDITS--
+Christian Stocker, chregu@php.net
+
--- php-5.3.3/ext/xsl/xsltprocessor.c.cve0057
+++ php-5.3.3/ext/xsl/xsltprocessor.c
@@ -475,6 +475,9 @@ static xmlDocPtr php_xsl_apply_styleshee
        zval *doXInclude, *member;
        zend_object_handlers *std_hnd;
        FILE *f;
+       int secPrefsError = 0;
+       int secPrefsValue;
+       xsltSecurityPrefsPtr secPrefs = NULL;
 
        node = php_libxml_import_node(docp TSRMLS_CC);
        
@@ -531,11 +534,56 @@ static xmlDocPtr php_xsl_apply_styleshee
        }
        efree(member);
 
-       newdocp = xsltApplyStylesheetUser(style, doc, (const char**) params,  NULL, f, ctxt);
+       
+       secPrefsValue = INI_INT("xsl.security_prefs");
+       
+       /* if securityPrefs is set to NONE, we don't have to do any checks, but otherwise... */
+       if (secPrefsValue != XSL_SECPREF_NONE) {
+               secPrefs = xsltNewSecurityPrefs(); 
+               if (secPrefsValue & XSL_SECPREF_READ_FILE ) { 
+                       if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid)) { 
+                               secPrefsError = 1;
+                       }
+               }
+               if (secPrefsValue & XSL_SECPREF_WRITE_FILE ) { 
+                       if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid)) { 
+                               secPrefsError = 1;
+                       }
+               }
+               if (secPrefsValue & XSL_SECPREF_CREATE_DIRECTORY ) { 
+                       if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid)) { 
+                               secPrefsError = 1;
+                       }
+               }
+               if (secPrefsValue & XSL_SECPREF_READ_NETWORK) { 
+                       if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid)) { 
+                               secPrefsError = 1;
+                       }
+               }
+               if (secPrefsValue & XSL_SECPREF_WRITE_NETWORK) { 
+                       if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid)) { 
+                               secPrefsError = 1;
+                       }
+               }
+       
+               if (0 != xsltSetCtxtSecurityPrefs(secPrefs, ctxt)) { 
+                       secPrefsError = 1;
+               }
+       }
+       
+       if (secPrefsError == 1) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Can't set libxslt security properties, not doing transformation for security reasons");
+       } else {
+               newdocp = xsltApplyStylesheetUser(style, doc, (const char**) params,  NULL, f, ctxt);
+       }
        if (f) {
                fclose(f);
        }
+       
        xsltFreeTransformContext(ctxt);
+       if (secPrefs) {
+               xsltFreeSecurityPrefs(secPrefs);
+       }
 
        if (intern->node_list != NULL) {
                zend_hash_destroy(intern->node_list);
--- php-5.3.3/php.ini-development.cve0057
+++ php-5.3.3/php.ini-development
@@ -1890,6 +1890,12 @@ ldap.max_links = -1
 [dba]
 ;dba.default_handler=
 
+[xsl]
+; Write operations from within XSLT are disabled by default.
+; XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_WRITE_FILE = 44
+; Set it to 0 to allow all operations
+;xsl.security_prefs = 44
+
 ; Local Variables:
 ; tab-width: 4
 ; End:
--- php-5.3.3/php.ini-production.cve0057
+++ php-5.3.3/php.ini-production
@@ -1897,6 +1897,12 @@ ldap.max_links = -1
 [dba]
 ;dba.default_handler=
 
+[xsl]
+; Write operations from within XSLT are disabled by default.
+; XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_WRITE_FILE = 44
+; Set it to 0 to allow all operations
+;xsl.security_prefs = 44
+
 ; Local Variables:
 ; tab-width: 4
 ; End:
--- php-5.3.3/UPGRADING.cve0057
+++ php-5.3.3/UPGRADING
@@ -150,6 +150,15 @@ UPGRADE NOTES - PHP 5.3
 
 - SplObjectStorage now has ArrayAccess support. It is also now possible to
   store associative information with objects in SplObjectStorage.
+  
+=====================
+4.1 New in PHP 5.3.9
+=====================
+
+- Write operations within XSLT (for example with the extension sax:output) are
+  disabled by default. You can define what is forbidden with the INI option
+  xsl.security_prefs. This option will be marked as deprecated in 5.4 again. 
+  Use the method XsltProcess::setSecurityPrefs($options) there.
 
 =============
 5. Deprecated
1	slords	1.2
2			https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0057
3
4			http://git.php.net/?p=php-src.git;a=commitdiff;h=b2287a42a0dfd8fe392051d8f25531051cd86322
5			http://git.php.net/?p=php-src.git;a=commitdiff;h=192511f75d915c723384da17b6ca265971727132
6			http://git.php.net/?p=php-src.git;a=commitdiff;h=c9b5d92821db7335632f8578871e2b75ac018f2a
7			http://git.php.net/?p=php-src.git;a=commitdiff;h=777a29fce22a741fedb69c83c3e7c2129372ee0e
8
9			--- php-5.3.3/ext/xsl/php_xsl.c.cve0057
10			+++ php-5.3.3/ext/xsl/php_xsl.c
11			@@ -141,6 +141,13 @@ zend_object_value xsl_objects_new(zend_c
12			}
13			/* }}} */
14
15			+PHP_INI_BEGIN()
16			+/* Default is not allowing any write operations.
17			+ XSL_SECPREF_CREATE_DIRECTORY \| XSL_SECPREF_WRITE_NETWORK \| XSL_SECPREF_WRITE_FILE == 44
18			+*/
19			+PHP_INI_ENTRY("xsl.security_prefs", "44", PHP_INI_ALL, NULL)
20			+PHP_INI_END()
21			+
22			/* {{{ PHP_MINIT_FUNCTION
23			*/
24			PHP_MINIT_FUNCTION(xsl)
25			@@ -167,6 +174,14 @@ PHP_MINIT_FUNCTION(xsl)
26			REGISTER_LONG_CONSTANT("XSL_CLONE_NEVER", -1, CONST_CS \| CONST_PERSISTENT);
27			REGISTER_LONG_CONSTANT("XSL_CLONE_ALWAYS", 1, CONST_CS \| CONST_PERSISTENT);
28
29			+ REGISTER_LONG_CONSTANT("XSL_SECPREF_NONE", XSL_SECPREF_NONE, CONST_CS \| CONST_PERSISTENT);
30			+ REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_FILE", XSL_SECPREF_READ_FILE, CONST_CS \| CONST_PERSISTENT);
31			+ REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_FILE", XSL_SECPREF_WRITE_FILE, CONST_CS \| CONST_PERSISTENT);
32			+ REGISTER_LONG_CONSTANT("XSL_SECPREF_CREATE_DIRECTORY", XSL_SECPREF_CREATE_DIRECTORY, CONST_CS \| CONST_PERSISTENT);
33			+ REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_NETWORK", XSL_SECPREF_READ_NETWORK, CONST_CS \| CONST_PERSISTENT);
34			+ REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_NETWORK", XSL_SECPREF_WRITE_NETWORK, CONST_CS \| CONST_PERSISTENT);
35			+ REGISTER_LONG_CONSTANT("XSL_SECPREF_DEFAULT", XSL_SECPREF_DEFAULT, CONST_CS \| CONST_PERSISTENT);
36			+
37			REGISTER_LONG_CONSTANT("LIBXSLT_VERSION", LIBXSLT_VERSION, CONST_CS \| CONST_PERSISTENT);
38			REGISTER_STRING_CONSTANT("LIBXSLT_DOTTED_VERSION", LIBXSLT_DOTTED_VERSION, CONST_CS \| CONST_PERSISTENT);
39
40			@@ -175,6 +190,8 @@ PHP_MINIT_FUNCTION(xsl)
41			REGISTER_STRING_CONSTANT("LIBEXSLT_DOTTED_VERSION", LIBEXSLT_DOTTED_VERSION, CONST_CS \| CONST_PERSISTENT);
42			#endif
43
44			+ REGISTER_INI_ENTRIES();
45			+
46			return SUCCESS;
47			}
48			/* }}} */
49			@@ -258,6 +275,8 @@ PHP_MSHUTDOWN_FUNCTION(xsl)
50
51			xsltCleanupGlobals();
52
53			+ UNREGISTER_INI_ENTRIES();
54			+
55			return SUCCESS;
56			}
57			/* }}} */
58			--- php-5.3.3/ext/xsl/php_xsl.h.cve0057
59			+++ php-5.3.3/ext/xsl/php_xsl.h
60			@@ -32,6 +32,7 @@ extern zend_module_entry xsl_module_entr
61			#include <libxslt/xsltInternals.h>
62			#include <libxslt/xsltutils.h>
63			#include <libxslt/transform.h>
64			+#include <libxslt/security.h>
65			#if HAVE_XSL_EXSLT
66			#include <libexslt/exslt.h>
67			#include <libexslt/exsltconfig.h>
68			@@ -43,6 +44,15 @@ extern zend_module_entry xsl_module_entr
69			#include <libxslt/extensions.h>
70			#include <libxml/xpathInternals.h>
71
72			+#define XSL_SECPREF_NONE 0
73			+#define XSL_SECPREF_READ_FILE 2
74			+#define XSL_SECPREF_WRITE_FILE 4
75			+#define XSL_SECPREF_CREATE_DIRECTORY 8
76			+#define XSL_SECPREF_READ_NETWORK 16
77			+#define XSL_SECPREF_WRITE_NETWORK 32
78			+/* Default == disable all write access == XSL_SECPREF_WRITE_NETWORK \| XSL_SECPREF_CREATE_DIRECTORY \| XSL_SECPREF_WRITE_FILE */
79			+#define XSL_SECPREF_DEFAULT 44
80			+
81			typedef struct _xsl_object {
82			zend_object std;
83			void *ptr;
84			--- php-5.3.3/ext/xsl/tests/bug54446.phpt.cve0057
85			+++ php-5.3.3/ext/xsl/tests/bug54446.phpt
86			@@ -0,0 +1,95 @@
87			+--TEST--
88			+Bug #54446 (Arbitrary file creation via libxslt 'output' extension)
89			+--SKIPIF--
90			+<?php
91			+if (!extension_loaded('xsl')) die("skip Extension XSL is required\n");
92			+?>
93			+--FILE--
94			+<?php
95			+include("prepare.inc");
96			+
97			+$outputfile = dirname(__FILE__)."/bug54446test.txt";
98			+if (file_exists($outputfile)) {
99			+ unlink($outputfile);
100			+}
101			+
102			+$sXsl = <<<EOT
103			+<xsl:stylesheet version="1.0"
104			+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
105			+ xmlns:sax="http://icl.com/saxon"
106			+ extension-element-prefixes="sax">
107			+
108			+ <xsl:template match="/">
109			+ <sax:output href="$outputfile" method="text">
110			+ <xsl:value-of select="'0wn3d via PHP and libxslt ...'"/>
111			+ </sax:output>
112			+ </xsl:template>
113			+
114			+</xsl:stylesheet>
115			+EOT;
116			+
117			+$xsl->loadXML( $sXsl );
118			+
119			+# START XSLT
120			+$proc->importStylesheet( $xsl );
121			+
122			+# TRASNFORM & PRINT
123			+print $proc->transformToXML( $dom );
124			+
125			+
126			+if (file_exists($outputfile)) {
127			+ print "$outputfile exists, but shouldn't!\n";
128			+} else {
129			+ print "OK, no file created\n";
130			+}
131			+
132			+#SET NO SECURITY PREFS
133			+ini_set("xsl.security_prefs", XSL_SECPREF_NONE);
134			+
135			+# TRASNFORM & PRINT
136			+print $proc->transformToXML( $dom );
137			+
138			+
139			+if (file_exists($outputfile)) {
140			+ print "OK, file exists\n";
141			+} else {
142			+ print "$outputfile doesn't exist, but should!\n";
143			+}
144			+
145			+unlink($outputfile);
146			+
147			+#SET SECURITY PREFS AGAIN
148			+ini_set("xsl.security_prefs", XSL_SECPREF_WRITE_FILE \| XSL_SECPREF_WRITE_NETWORK \| XSL_SECPREF_CREATE_DIRECTORY);
149			+
150			+# TRASNFORM & PRINT
151			+print $proc->transformToXML( $dom );
152			+
153			+if (file_exists($outputfile)) {
154			+ print "$outputfile exists, but shouldn't!\n";
155			+} else {
156			+ print "OK, no file created\n";
157			+}
158			+
159			+
160			+--EXPECTF--
161			+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
162			+
163			+Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
164			+
165			+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
166			+
167			+Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
168			+OK, no file created
169			+OK, file exists
170			+
171			+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
172			+
173			+Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
174			+
175			+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
176			+
177			+Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
178			+OK, no file created
179			+--CREDITS--
180			+Christian Stocker, chregu@php.net
181			+
182			--- php-5.3.3/ext/xsl/tests/bug54446_with_ini.phpt.cve0057
183			+++ php-5.3.3/ext/xsl/tests/bug54446_with_ini.phpt
184			@@ -0,0 +1,95 @@
185			+--TEST--
186			+Bug #54446 (Arbitrary file creation via libxslt 'output' extension with php.ini setting)
187			+--SKIPIF--
188			+<?php
189			+if (!extension_loaded('xsl')) die("skip Extension XSL is required\n");
190			+?>
191			+--FILE--
192			+<?php
193			+include("prepare.inc");
194			+
195			+$outputfile = dirname(__FILE__)."/bug54446test.txt";
196			+if (file_exists($outputfile)) {
197			+ unlink($outputfile);
198			+}
199			+
200			+$sXsl = <<<EOT
201			+<xsl:stylesheet version="1.0"
202			+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
203			+ xmlns:sax="http://icl.com/saxon"
204			+ extension-element-prefixes="sax">
205			+
206			+ <xsl:template match="/">
207			+ <sax:output href="$outputfile" method="text">
208			+ <xsl:value-of select="'0wn3d via PHP and libxslt ...'"/>
209			+ </sax:output>
210			+ </xsl:template>
211			+
212			+</xsl:stylesheet>
213			+EOT;
214			+
215			+$xsl->loadXML( $sXsl );
216			+
217			+# START XSLT
218			+$proc->importStylesheet( $xsl );
219			+
220			+# TRASNFORM & PRINT
221			+print $proc->transformToXML( $dom );
222			+
223			+
224			+if (file_exists($outputfile)) {
225			+ print "$outputfile exists, but shouldn't!\n";
226			+} else {
227			+ print "OK, no file created\n";
228			+}
229			+
230			+#SET NO SECURITY PREFS
231			+ini_set("xsl.security_prefs", XSL_SECPREF_NONE);
232			+
233			+# TRASNFORM & PRINT
234			+print $proc->transformToXML( $dom );
235			+
236			+
237			+if (file_exists($outputfile)) {
238			+ print "OK, file exists\n";
239			+} else {
240			+ print "$outputfile doesn't exist, but should!\n";
241			+}
242			+
243			+unlink($outputfile);
244			+
245			+#SET SECURITY PREFS AGAIN
246			+ini_set("xsl.security_prefs", XSL_SECPREF_WRITE_FILE \| XSL_SECPREF_WRITE_NETWORK \| XSL_SECPREF_CREATE_DIRECTORY);
247			+
248			+# TRASNFORM & PRINT
249			+print $proc->transformToXML( $dom );
250			+
251			+if (file_exists($outputfile)) {
252			+ print "$outputfile exists, but shouldn't!\n";
253			+} else {
254			+ print "OK, no file created\n";
255			+}
256			+
257			+
258			+--EXPECTF--
259			+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
260			+
261			+Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
262			+
263			+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
264			+
265			+Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
266			+OK, no file created
267			+OK, file exists
268			+
269			+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
270			+
271			+Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
272			+
273			+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
274			+
275			+Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
276			+OK, no file created
277			+--CREDITS--
278			+Christian Stocker, chregu@php.net
279			+
280			--- php-5.3.3/ext/xsl/xsltprocessor.c.cve0057
281			+++ php-5.3.3/ext/xsl/xsltprocessor.c
282			@@ -475,6 +475,9 @@ static xmlDocPtr php_xsl_apply_styleshee
283			zval doXInclude, member;
284			zend_object_handlers *std_hnd;
285			FILE *f;
286			+ int secPrefsError = 0;
287			+ int secPrefsValue;
288			+ xsltSecurityPrefsPtr secPrefs = NULL;
289
290			node = php_libxml_import_node(docp TSRMLS_CC);
291
292			@@ -531,11 +534,56 @@ static xmlDocPtr php_xsl_apply_styleshee
293			}
294			efree(member);
295
296			- newdocp = xsltApplyStylesheetUser(style, doc, (const char**) params, NULL, f, ctxt);
297			+
298			+ secPrefsValue = INI_INT("xsl.security_prefs");
299			+
300			+ /* if securityPrefs is set to NONE, we don't have to do any checks, but otherwise... */
301			+ if (secPrefsValue != XSL_SECPREF_NONE) {
302			+ secPrefs = xsltNewSecurityPrefs();
303			+ if (secPrefsValue & XSL_SECPREF_READ_FILE ) {
304			+ if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid)) {
305			+ secPrefsError = 1;
306			+ }
307			+ }
308			+ if (secPrefsValue & XSL_SECPREF_WRITE_FILE ) {
309			+ if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid)) {
310			+ secPrefsError = 1;
311			+ }
312			+ }
313			+ if (secPrefsValue & XSL_SECPREF_CREATE_DIRECTORY ) {
314			+ if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid)) {
315			+ secPrefsError = 1;
316			+ }
317			+ }
318			+ if (secPrefsValue & XSL_SECPREF_READ_NETWORK) {
319			+ if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid)) {
320			+ secPrefsError = 1;
321			+ }
322			+ }
323			+ if (secPrefsValue & XSL_SECPREF_WRITE_NETWORK) {
324			+ if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid)) {
325			+ secPrefsError = 1;
326			+ }
327			+ }
328			+
329			+ if (0 != xsltSetCtxtSecurityPrefs(secPrefs, ctxt)) {
330			+ secPrefsError = 1;
331			+ }
332			+ }
333			+
334			+ if (secPrefsError == 1) {
335			+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Can't set libxslt security properties, not doing transformation for security reasons");
336			+ } else {
337			+ newdocp = xsltApplyStylesheetUser(style, doc, (const char**) params, NULL, f, ctxt);
338			+ }
339			if (f) {
340			fclose(f);
341			}
342			+
343			xsltFreeTransformContext(ctxt);
344			+ if (secPrefs) {
345			+ xsltFreeSecurityPrefs(secPrefs);
346			+ }
347
348			if (intern->node_list != NULL) {
349			zend_hash_destroy(intern->node_list);
350			--- php-5.3.3/php.ini-development.cve0057
351			+++ php-5.3.3/php.ini-development
352			@@ -1890,6 +1890,12 @@ ldap.max_links = -1
353			[dba]
354			;dba.default_handler=
355
356			+[xsl]
357			+; Write operations from within XSLT are disabled by default.
358			+; XSL_SECPREF_CREATE_DIRECTORY \| XSL_SECPREF_WRITE_NETWORK \| XSL_SECPREF_WRITE_FILE = 44
359			+; Set it to 0 to allow all operations
360			+;xsl.security_prefs = 44
361			+
362			; Local Variables:
363			; tab-width: 4
364			; End:
365			--- php-5.3.3/php.ini-production.cve0057
366			+++ php-5.3.3/php.ini-production
367			@@ -1897,6 +1897,12 @@ ldap.max_links = -1
368			[dba]
369			;dba.default_handler=
370
371			+[xsl]
372			+; Write operations from within XSLT are disabled by default.
373			+; XSL_SECPREF_CREATE_DIRECTORY \| XSL_SECPREF_WRITE_NETWORK \| XSL_SECPREF_WRITE_FILE = 44
374			+; Set it to 0 to allow all operations
375			+;xsl.security_prefs = 44
376			+
377			; Local Variables:
378			; tab-width: 4
379			; End:
380			--- php-5.3.3/UPGRADING.cve0057
381			+++ php-5.3.3/UPGRADING
382			@@ -150,6 +150,15 @@ UPGRADE NOTES - PHP 5.3
383
384			- SplObjectStorage now has ArrayAccess support. It is also now possible to
385			store associative information with objects in SplObjectStorage.
386			+
387			+=====================
388			+4.1 New in PHP 5.3.9
389			+=====================
390			+
391			+- Write operations within XSLT (for example with the extension sax:output) are
392			+ disabled by default. You can define what is forbidden with the INI option
393			+ xsl.security_prefs. This option will be marked as deprecated in 5.4 again.
394			+ Use the method XsltProcess::setSecurityPrefs($options) there.
395
396			=============
397			5. Deprecated