/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2012-0057.patch
ViewVC logotype

Diff of /rpms/php/sme8/php-5.3.3-CVE-2012-0057.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph | View Patch Patch

Revision 1.1 by slords, Fri Jun 29 14:45:08 2012 UTC Revision 1.1.2.1 by slords, Fri Jun 29 14:45:08 2012 UTC
# Line 0  Line 1 
1    
2    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0057
3    
4    http://git.php.net/?p=php-src.git;a=commitdiff;h=b2287a42a0dfd8fe392051d8f25531051cd86322
5    http://git.php.net/?p=php-src.git;a=commitdiff;h=192511f75d915c723384da17b6ca265971727132
6    http://git.php.net/?p=php-src.git;a=commitdiff;h=c9b5d92821db7335632f8578871e2b75ac018f2a
7    http://git.php.net/?p=php-src.git;a=commitdiff;h=777a29fce22a741fedb69c83c3e7c2129372ee0e
8    
9    --- php-5.3.3/ext/xsl/php_xsl.c.cve0057
10    +++ php-5.3.3/ext/xsl/php_xsl.c
11    @@ -141,6 +141,13 @@ zend_object_value xsl_objects_new(zend_c
12     }
13     /* }}} */
14    
15    +PHP_INI_BEGIN()
16    +/* Default is not allowing any write operations.
17    +   XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_WRITE_FILE == 44
18    +*/
19    +PHP_INI_ENTRY("xsl.security_prefs", "44", PHP_INI_ALL, NULL)
20    +PHP_INI_END()
21    +
22     /* {{{ PHP_MINIT_FUNCTION
23      */
24     PHP_MINIT_FUNCTION(xsl)
25    @@ -167,6 +174,14 @@ PHP_MINIT_FUNCTION(xsl)
26            REGISTER_LONG_CONSTANT("XSL_CLONE_NEVER",    -1,     CONST_CS | CONST_PERSISTENT);
27            REGISTER_LONG_CONSTANT("XSL_CLONE_ALWAYS",    1,     CONST_CS | CONST_PERSISTENT);
28    
29    +       REGISTER_LONG_CONSTANT("XSL_SECPREF_NONE",             XSL_SECPREF_NONE,             CONST_CS | CONST_PERSISTENT);
30    +       REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_FILE",        XSL_SECPREF_READ_FILE,        CONST_CS | CONST_PERSISTENT);
31    +       REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_FILE",       XSL_SECPREF_WRITE_FILE,       CONST_CS | CONST_PERSISTENT);
32    +       REGISTER_LONG_CONSTANT("XSL_SECPREF_CREATE_DIRECTORY", XSL_SECPREF_CREATE_DIRECTORY, CONST_CS | CONST_PERSISTENT);
33    +       REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_NETWORK",     XSL_SECPREF_READ_NETWORK,     CONST_CS | CONST_PERSISTENT);
34    +       REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_NETWORK",    XSL_SECPREF_WRITE_NETWORK,    CONST_CS | CONST_PERSISTENT);
35    +       REGISTER_LONG_CONSTANT("XSL_SECPREF_DEFAULT",          XSL_SECPREF_DEFAULT,          CONST_CS | CONST_PERSISTENT);
36    +
37            REGISTER_LONG_CONSTANT("LIBXSLT_VERSION",           LIBXSLT_VERSION,            CONST_CS | CONST_PERSISTENT);
38            REGISTER_STRING_CONSTANT("LIBXSLT_DOTTED_VERSION",  LIBXSLT_DOTTED_VERSION,     CONST_CS | CONST_PERSISTENT);
39    
40    @@ -175,6 +190,8 @@ PHP_MINIT_FUNCTION(xsl)
41            REGISTER_STRING_CONSTANT("LIBEXSLT_DOTTED_VERSION",  LIBEXSLT_DOTTED_VERSION,     CONST_CS | CONST_PERSISTENT);
42     #endif
43    
44    +    REGISTER_INI_ENTRIES();
45    +
46            return SUCCESS;
47     }
48     /* }}} */
49    @@ -258,6 +275,8 @@ PHP_MSHUTDOWN_FUNCTION(xsl)
50    
51            xsltCleanupGlobals();
52    
53    +       UNREGISTER_INI_ENTRIES();
54    +
55            return SUCCESS;
56     }
57     /* }}} */
58    --- php-5.3.3/ext/xsl/php_xsl.h.cve0057
59    +++ php-5.3.3/ext/xsl/php_xsl.h
60    @@ -32,6 +32,7 @@ extern zend_module_entry xsl_module_entr
61     #include <libxslt/xsltInternals.h>
62     #include <libxslt/xsltutils.h>
63     #include <libxslt/transform.h>
64    +#include <libxslt/security.h>
65     #if HAVE_XSL_EXSLT
66     #include <libexslt/exslt.h>
67     #include <libexslt/exsltconfig.h>
68    @@ -43,6 +44,15 @@ extern zend_module_entry xsl_module_entr
69     #include <libxslt/extensions.h>
70     #include <libxml/xpathInternals.h>
71    
72    +#define XSL_SECPREF_NONE 0
73    +#define XSL_SECPREF_READ_FILE 2
74    +#define XSL_SECPREF_WRITE_FILE 4
75    +#define XSL_SECPREF_CREATE_DIRECTORY 8
76    +#define XSL_SECPREF_READ_NETWORK 16
77    +#define XSL_SECPREF_WRITE_NETWORK 32
78    +/* Default == disable all write access ==  XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_FILE */
79    +#define XSL_SECPREF_DEFAULT 44
80    +
81     typedef struct _xsl_object {
82            zend_object  std;
83            void *ptr;
84    --- php-5.3.3/ext/xsl/tests/bug54446.phpt.cve0057
85    +++ php-5.3.3/ext/xsl/tests/bug54446.phpt
86    @@ -0,0 +1,95 @@
87    +--TEST--
88    +Bug #54446 (Arbitrary file creation via libxslt 'output' extension)
89    +--SKIPIF--
90    +<?php
91    +if (!extension_loaded('xsl')) die("skip Extension XSL is required\n");
92    +?>
93    +--FILE--
94    +<?php
95    +include("prepare.inc");
96    +
97    +$outputfile = dirname(__FILE__)."/bug54446test.txt";
98    +if (file_exists($outputfile)) {
99    +    unlink($outputfile);
100    +}
101    +
102    +$sXsl = <<<EOT
103    +<xsl:stylesheet version="1.0"
104    +       xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
105    +       xmlns:sax="http://icl.com/saxon"
106    +       extension-element-prefixes="sax">
107    +
108    +       <xsl:template match="/">
109    +               <sax:output href="$outputfile" method="text">
110    +                       <xsl:value-of select="'0wn3d via PHP and libxslt ...'"/>
111    +               </sax:output>
112    +       </xsl:template>
113    +
114    +</xsl:stylesheet>
115    +EOT;
116    +
117    +$xsl->loadXML( $sXsl );
118    +
119    +# START XSLT
120    +$proc->importStylesheet( $xsl );
121    +
122    +# TRASNFORM & PRINT
123    +print $proc->transformToXML( $dom );
124    +
125    +
126    +if (file_exists($outputfile)) {
127    +    print "$outputfile exists, but shouldn't!\n";
128    +} else {
129    +    print "OK, no file created\n";
130    +}
131    +
132    +#SET NO SECURITY PREFS
133    +ini_set("xsl.security_prefs", XSL_SECPREF_NONE);
134    +
135    +# TRASNFORM & PRINT
136    +print $proc->transformToXML( $dom );
137    +
138    +
139    +if (file_exists($outputfile)) {
140    +    print "OK, file exists\n";
141    +} else {
142    +    print "$outputfile doesn't exist, but should!\n";
143    +}
144    +
145    +unlink($outputfile);
146    +
147    +#SET SECURITY PREFS AGAIN
148    +ini_set("xsl.security_prefs", XSL_SECPREF_WRITE_FILE |  XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY);
149    +
150    +# TRASNFORM & PRINT
151    +print $proc->transformToXML( $dom );
152    +
153    +if (file_exists($outputfile)) {
154    +    print "$outputfile exists, but shouldn't!\n";
155    +} else {
156    +    print "OK, no file created\n";
157    +}
158    +
159    +
160    +--EXPECTF--
161    +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
162    +
163    +Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
164    +
165    +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
166    +
167    +Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
168    +OK, no file created
169    +OK, file exists
170    +
171    +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
172    +
173    +Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
174    +
175    +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
176    +
177    +Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
178    +OK, no file created
179    +--CREDITS--
180    +Christian Stocker, chregu@php.net
181    +
182    --- php-5.3.3/ext/xsl/tests/bug54446_with_ini.phpt.cve0057
183    +++ php-5.3.3/ext/xsl/tests/bug54446_with_ini.phpt
184    @@ -0,0 +1,95 @@
185    +--TEST--
186    +Bug #54446 (Arbitrary file creation via libxslt 'output' extension with php.ini setting)
187    +--SKIPIF--
188    +<?php
189    +if (!extension_loaded('xsl')) die("skip Extension XSL is required\n");
190    +?>
191    +--FILE--
192    +<?php
193    +include("prepare.inc");
194    +
195    +$outputfile = dirname(__FILE__)."/bug54446test.txt";
196    +if (file_exists($outputfile)) {
197    +    unlink($outputfile);
198    +}
199    +
200    +$sXsl = <<<EOT
201    +<xsl:stylesheet version="1.0"
202    +       xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
203    +       xmlns:sax="http://icl.com/saxon"
204    +       extension-element-prefixes="sax">
205    +
206    +       <xsl:template match="/">
207    +               <sax:output href="$outputfile" method="text">
208    +                       <xsl:value-of select="'0wn3d via PHP and libxslt ...'"/>
209    +               </sax:output>
210    +       </xsl:template>
211    +
212    +</xsl:stylesheet>
213    +EOT;
214    +
215    +$xsl->loadXML( $sXsl );
216    +
217    +# START XSLT
218    +$proc->importStylesheet( $xsl );
219    +
220    +# TRASNFORM & PRINT
221    +print $proc->transformToXML( $dom );
222    +
223    +
224    +if (file_exists($outputfile)) {
225    +    print "$outputfile exists, but shouldn't!\n";
226    +} else {
227    +    print "OK, no file created\n";
228    +}
229    +
230    +#SET NO SECURITY PREFS
231    +ini_set("xsl.security_prefs", XSL_SECPREF_NONE);
232    +
233    +# TRASNFORM & PRINT
234    +print $proc->transformToXML( $dom );
235    +
236    +
237    +if (file_exists($outputfile)) {
238    +    print "OK, file exists\n";
239    +} else {
240    +    print "$outputfile doesn't exist, but should!\n";
241    +}
242    +
243    +unlink($outputfile);
244    +
245    +#SET SECURITY PREFS AGAIN
246    +ini_set("xsl.security_prefs", XSL_SECPREF_WRITE_FILE |  XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY);
247    +
248    +# TRASNFORM & PRINT
249    +print $proc->transformToXML( $dom );
250    +
251    +if (file_exists($outputfile)) {
252    +    print "$outputfile exists, but shouldn't!\n";
253    +} else {
254    +    print "OK, no file created\n";
255    +}
256    +
257    +
258    +--EXPECTF--
259    +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
260    +
261    +Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
262    +
263    +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
264    +
265    +Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
266    +OK, no file created
267    +OK, file exists
268    +
269    +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
270    +
271    +Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
272    +
273    +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
274    +
275    +Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
276    +OK, no file created
277    +--CREDITS--
278    +Christian Stocker, chregu@php.net
279    +
280    --- php-5.3.3/ext/xsl/xsltprocessor.c.cve0057
281    +++ php-5.3.3/ext/xsl/xsltprocessor.c
282    @@ -475,6 +475,9 @@ static xmlDocPtr php_xsl_apply_styleshee
283            zval *doXInclude, *member;
284            zend_object_handlers *std_hnd;
285            FILE *f;
286    +       int secPrefsError = 0;
287    +       int secPrefsValue;
288    +       xsltSecurityPrefsPtr secPrefs = NULL;
289    
290            node = php_libxml_import_node(docp TSRMLS_CC);
291            
292    @@ -531,11 +534,56 @@ static xmlDocPtr php_xsl_apply_styleshee
293            }
294            efree(member);
295    
296    -       newdocp = xsltApplyStylesheetUser(style, doc, (const char**) params,  NULL, f, ctxt);
297    +      
298    +       secPrefsValue = INI_INT("xsl.security_prefs");
299    +      
300    +       /* if securityPrefs is set to NONE, we don't have to do any checks, but otherwise... */
301    +       if (secPrefsValue != XSL_SECPREF_NONE) {
302    +               secPrefs = xsltNewSecurityPrefs();
303    +               if (secPrefsValue & XSL_SECPREF_READ_FILE ) {
304    +                       if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid)) {
305    +                               secPrefsError = 1;
306    +                       }
307    +               }
308    +               if (secPrefsValue & XSL_SECPREF_WRITE_FILE ) {
309    +                       if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid)) {
310    +                               secPrefsError = 1;
311    +                       }
312    +               }
313    +               if (secPrefsValue & XSL_SECPREF_CREATE_DIRECTORY ) {
314    +                       if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid)) {
315    +                               secPrefsError = 1;
316    +                       }
317    +               }
318    +               if (secPrefsValue & XSL_SECPREF_READ_NETWORK) {
319    +                       if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid)) {
320    +                               secPrefsError = 1;
321    +                       }
322    +               }
323    +               if (secPrefsValue & XSL_SECPREF_WRITE_NETWORK) {
324    +                       if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid)) {
325    +                               secPrefsError = 1;
326    +                       }
327    +               }
328    +      
329    +               if (0 != xsltSetCtxtSecurityPrefs(secPrefs, ctxt)) {
330    +                       secPrefsError = 1;
331    +               }
332    +       }
333    +      
334    +       if (secPrefsError == 1) {
335    +               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Can't set libxslt security properties, not doing transformation for security reasons");
336    +       } else {
337    +               newdocp = xsltApplyStylesheetUser(style, doc, (const char**) params,  NULL, f, ctxt);
338    +       }
339            if (f) {
340                    fclose(f);
341            }
342    +      
343            xsltFreeTransformContext(ctxt);
344    +       if (secPrefs) {
345    +               xsltFreeSecurityPrefs(secPrefs);
346    +       }
347    
348            if (intern->node_list != NULL) {
349                    zend_hash_destroy(intern->node_list);
350    --- php-5.3.3/php.ini-development.cve0057
351    +++ php-5.3.3/php.ini-development
352    @@ -1890,6 +1890,12 @@ ldap.max_links = -1
353     [dba]
354     ;dba.default_handler=
355    
356    +[xsl]
357    +; Write operations from within XSLT are disabled by default.
358    +; XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_WRITE_FILE = 44
359    +; Set it to 0 to allow all operations
360    +;xsl.security_prefs = 44
361    +
362     ; Local Variables:
363     ; tab-width: 4
364     ; End:
365    --- php-5.3.3/php.ini-production.cve0057
366    +++ php-5.3.3/php.ini-production
367    @@ -1897,6 +1897,12 @@ ldap.max_links = -1
368     [dba]
369     ;dba.default_handler=
370    
371    +[xsl]
372    +; Write operations from within XSLT are disabled by default.
373    +; XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_WRITE_FILE = 44
374    +; Set it to 0 to allow all operations
375    +;xsl.security_prefs = 44
376    +
377     ; Local Variables:
378     ; tab-width: 4
379     ; End:
380    --- php-5.3.3/UPGRADING.cve0057
381    +++ php-5.3.3/UPGRADING
382    @@ -150,6 +150,15 @@ UPGRADE NOTES - PHP 5.3
383    
384     - SplObjectStorage now has ArrayAccess support. It is also now possible to
385       store associative information with objects in SplObjectStorage.
386    +  
387    +=====================
388    +4.1 New in PHP 5.3.9
389    +=====================
390    +
391    +- Write operations within XSLT (for example with the extension sax:output) are
392    +  disabled by default. You can define what is forbidden with the INI option
393    +  xsl.security_prefs. This option will be marked as deprecated in 5.4 again.
394    +  Use the method XsltProcess::setSecurityPrefs($options) there.
395    
396     =============
397     5. Deprecated


Legend:
Removed lines/characters  
Changed lines/characters
  Added lines/characters

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed