1 |
slords |
1.2 |
|
2 |
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0057 |
3 |
|
|
|
4 |
|
|
http://git.php.net/?p=php-src.git;a=commitdiff;h=b2287a42a0dfd8fe392051d8f25531051cd86322 |
5 |
|
|
http://git.php.net/?p=php-src.git;a=commitdiff;h=192511f75d915c723384da17b6ca265971727132 |
6 |
|
|
http://git.php.net/?p=php-src.git;a=commitdiff;h=c9b5d92821db7335632f8578871e2b75ac018f2a |
7 |
|
|
http://git.php.net/?p=php-src.git;a=commitdiff;h=777a29fce22a741fedb69c83c3e7c2129372ee0e |
8 |
|
|
|
9 |
|
|
--- php-5.3.3/ext/xsl/php_xsl.c.cve0057 |
10 |
|
|
+++ php-5.3.3/ext/xsl/php_xsl.c |
11 |
|
|
@@ -141,6 +141,13 @@ zend_object_value xsl_objects_new(zend_c |
12 |
|
|
} |
13 |
|
|
/* }}} */ |
14 |
|
|
|
15 |
|
|
+PHP_INI_BEGIN() |
16 |
|
|
+/* Default is not allowing any write operations. |
17 |
|
|
+ XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_WRITE_FILE == 44 |
18 |
|
|
+*/ |
19 |
|
|
+PHP_INI_ENTRY("xsl.security_prefs", "44", PHP_INI_ALL, NULL) |
20 |
|
|
+PHP_INI_END() |
21 |
|
|
+ |
22 |
|
|
/* {{{ PHP_MINIT_FUNCTION |
23 |
|
|
*/ |
24 |
|
|
PHP_MINIT_FUNCTION(xsl) |
25 |
|
|
@@ -167,6 +174,14 @@ PHP_MINIT_FUNCTION(xsl) |
26 |
|
|
REGISTER_LONG_CONSTANT("XSL_CLONE_NEVER", -1, CONST_CS | CONST_PERSISTENT); |
27 |
|
|
REGISTER_LONG_CONSTANT("XSL_CLONE_ALWAYS", 1, CONST_CS | CONST_PERSISTENT); |
28 |
|
|
|
29 |
|
|
+ REGISTER_LONG_CONSTANT("XSL_SECPREF_NONE", XSL_SECPREF_NONE, CONST_CS | CONST_PERSISTENT); |
30 |
|
|
+ REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_FILE", XSL_SECPREF_READ_FILE, CONST_CS | CONST_PERSISTENT); |
31 |
|
|
+ REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_FILE", XSL_SECPREF_WRITE_FILE, CONST_CS | CONST_PERSISTENT); |
32 |
|
|
+ REGISTER_LONG_CONSTANT("XSL_SECPREF_CREATE_DIRECTORY", XSL_SECPREF_CREATE_DIRECTORY, CONST_CS | CONST_PERSISTENT); |
33 |
|
|
+ REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_NETWORK", XSL_SECPREF_READ_NETWORK, CONST_CS | CONST_PERSISTENT); |
34 |
|
|
+ REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_NETWORK", XSL_SECPREF_WRITE_NETWORK, CONST_CS | CONST_PERSISTENT); |
35 |
|
|
+ REGISTER_LONG_CONSTANT("XSL_SECPREF_DEFAULT", XSL_SECPREF_DEFAULT, CONST_CS | CONST_PERSISTENT); |
36 |
|
|
+ |
37 |
|
|
REGISTER_LONG_CONSTANT("LIBXSLT_VERSION", LIBXSLT_VERSION, CONST_CS | CONST_PERSISTENT); |
38 |
|
|
REGISTER_STRING_CONSTANT("LIBXSLT_DOTTED_VERSION", LIBXSLT_DOTTED_VERSION, CONST_CS | CONST_PERSISTENT); |
39 |
|
|
|
40 |
|
|
@@ -175,6 +190,8 @@ PHP_MINIT_FUNCTION(xsl) |
41 |
|
|
REGISTER_STRING_CONSTANT("LIBEXSLT_DOTTED_VERSION", LIBEXSLT_DOTTED_VERSION, CONST_CS | CONST_PERSISTENT); |
42 |
|
|
#endif |
43 |
|
|
|
44 |
|
|
+ REGISTER_INI_ENTRIES(); |
45 |
|
|
+ |
46 |
|
|
return SUCCESS; |
47 |
|
|
} |
48 |
|
|
/* }}} */ |
49 |
|
|
@@ -258,6 +275,8 @@ PHP_MSHUTDOWN_FUNCTION(xsl) |
50 |
|
|
|
51 |
|
|
xsltCleanupGlobals(); |
52 |
|
|
|
53 |
|
|
+ UNREGISTER_INI_ENTRIES(); |
54 |
|
|
+ |
55 |
|
|
return SUCCESS; |
56 |
|
|
} |
57 |
|
|
/* }}} */ |
58 |
|
|
--- php-5.3.3/ext/xsl/php_xsl.h.cve0057 |
59 |
|
|
+++ php-5.3.3/ext/xsl/php_xsl.h |
60 |
|
|
@@ -32,6 +32,7 @@ extern zend_module_entry xsl_module_entr |
61 |
|
|
#include <libxslt/xsltInternals.h> |
62 |
|
|
#include <libxslt/xsltutils.h> |
63 |
|
|
#include <libxslt/transform.h> |
64 |
|
|
+#include <libxslt/security.h> |
65 |
|
|
#if HAVE_XSL_EXSLT |
66 |
|
|
#include <libexslt/exslt.h> |
67 |
|
|
#include <libexslt/exsltconfig.h> |
68 |
|
|
@@ -43,6 +44,15 @@ extern zend_module_entry xsl_module_entr |
69 |
|
|
#include <libxslt/extensions.h> |
70 |
|
|
#include <libxml/xpathInternals.h> |
71 |
|
|
|
72 |
|
|
+#define XSL_SECPREF_NONE 0 |
73 |
|
|
+#define XSL_SECPREF_READ_FILE 2 |
74 |
|
|
+#define XSL_SECPREF_WRITE_FILE 4 |
75 |
|
|
+#define XSL_SECPREF_CREATE_DIRECTORY 8 |
76 |
|
|
+#define XSL_SECPREF_READ_NETWORK 16 |
77 |
|
|
+#define XSL_SECPREF_WRITE_NETWORK 32 |
78 |
|
|
+/* Default == disable all write access == XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_FILE */ |
79 |
|
|
+#define XSL_SECPREF_DEFAULT 44 |
80 |
|
|
+ |
81 |
|
|
typedef struct _xsl_object { |
82 |
|
|
zend_object std; |
83 |
|
|
void *ptr; |
84 |
|
|
--- php-5.3.3/ext/xsl/tests/bug54446.phpt.cve0057 |
85 |
|
|
+++ php-5.3.3/ext/xsl/tests/bug54446.phpt |
86 |
|
|
@@ -0,0 +1,95 @@ |
87 |
|
|
+--TEST-- |
88 |
|
|
+Bug #54446 (Arbitrary file creation via libxslt 'output' extension) |
89 |
|
|
+--SKIPIF-- |
90 |
|
|
+<?php |
91 |
|
|
+if (!extension_loaded('xsl')) die("skip Extension XSL is required\n"); |
92 |
|
|
+?> |
93 |
|
|
+--FILE-- |
94 |
|
|
+<?php |
95 |
|
|
+include("prepare.inc"); |
96 |
|
|
+ |
97 |
|
|
+$outputfile = dirname(__FILE__)."/bug54446test.txt"; |
98 |
|
|
+if (file_exists($outputfile)) { |
99 |
|
|
+ unlink($outputfile); |
100 |
|
|
+} |
101 |
|
|
+ |
102 |
|
|
+$sXsl = <<<EOT |
103 |
|
|
+<xsl:stylesheet version="1.0" |
104 |
|
|
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform" |
105 |
|
|
+ xmlns:sax="http://icl.com/saxon" |
106 |
|
|
+ extension-element-prefixes="sax"> |
107 |
|
|
+ |
108 |
|
|
+ <xsl:template match="/"> |
109 |
|
|
+ <sax:output href="$outputfile" method="text"> |
110 |
|
|
+ <xsl:value-of select="'0wn3d via PHP and libxslt ...'"/> |
111 |
|
|
+ </sax:output> |
112 |
|
|
+ </xsl:template> |
113 |
|
|
+ |
114 |
|
|
+</xsl:stylesheet> |
115 |
|
|
+EOT; |
116 |
|
|
+ |
117 |
|
|
+$xsl->loadXML( $sXsl ); |
118 |
|
|
+ |
119 |
|
|
+# START XSLT |
120 |
|
|
+$proc->importStylesheet( $xsl ); |
121 |
|
|
+ |
122 |
|
|
+# TRASNFORM & PRINT |
123 |
|
|
+print $proc->transformToXML( $dom ); |
124 |
|
|
+ |
125 |
|
|
+ |
126 |
|
|
+if (file_exists($outputfile)) { |
127 |
|
|
+ print "$outputfile exists, but shouldn't!\n"; |
128 |
|
|
+} else { |
129 |
|
|
+ print "OK, no file created\n"; |
130 |
|
|
+} |
131 |
|
|
+ |
132 |
|
|
+#SET NO SECURITY PREFS |
133 |
|
|
+ini_set("xsl.security_prefs", XSL_SECPREF_NONE); |
134 |
|
|
+ |
135 |
|
|
+# TRASNFORM & PRINT |
136 |
|
|
+print $proc->transformToXML( $dom ); |
137 |
|
|
+ |
138 |
|
|
+ |
139 |
|
|
+if (file_exists($outputfile)) { |
140 |
|
|
+ print "OK, file exists\n"; |
141 |
|
|
+} else { |
142 |
|
|
+ print "$outputfile doesn't exist, but should!\n"; |
143 |
|
|
+} |
144 |
|
|
+ |
145 |
|
|
+unlink($outputfile); |
146 |
|
|
+ |
147 |
|
|
+#SET SECURITY PREFS AGAIN |
148 |
|
|
+ini_set("xsl.security_prefs", XSL_SECPREF_WRITE_FILE | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY); |
149 |
|
|
+ |
150 |
|
|
+# TRASNFORM & PRINT |
151 |
|
|
+print $proc->transformToXML( $dom ); |
152 |
|
|
+ |
153 |
|
|
+if (file_exists($outputfile)) { |
154 |
|
|
+ print "$outputfile exists, but shouldn't!\n"; |
155 |
|
|
+} else { |
156 |
|
|
+ print "OK, no file created\n"; |
157 |
|
|
+} |
158 |
|
|
+ |
159 |
|
|
+ |
160 |
|
|
+--EXPECTF-- |
161 |
|
|
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d |
162 |
|
|
+ |
163 |
|
|
+Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s |
164 |
|
|
+ |
165 |
|
|
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d |
166 |
|
|
+ |
167 |
|
|
+Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d |
168 |
|
|
+OK, no file created |
169 |
|
|
+OK, file exists |
170 |
|
|
+ |
171 |
|
|
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d |
172 |
|
|
+ |
173 |
|
|
+Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s |
174 |
|
|
+ |
175 |
|
|
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d |
176 |
|
|
+ |
177 |
|
|
+Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d |
178 |
|
|
+OK, no file created |
179 |
|
|
+--CREDITS-- |
180 |
|
|
+Christian Stocker, chregu@php.net |
181 |
|
|
+ |
182 |
|
|
--- php-5.3.3/ext/xsl/tests/bug54446_with_ini.phpt.cve0057 |
183 |
|
|
+++ php-5.3.3/ext/xsl/tests/bug54446_with_ini.phpt |
184 |
|
|
@@ -0,0 +1,95 @@ |
185 |
|
|
+--TEST-- |
186 |
|
|
+Bug #54446 (Arbitrary file creation via libxslt 'output' extension with php.ini setting) |
187 |
|
|
+--SKIPIF-- |
188 |
|
|
+<?php |
189 |
|
|
+if (!extension_loaded('xsl')) die("skip Extension XSL is required\n"); |
190 |
|
|
+?> |
191 |
|
|
+--FILE-- |
192 |
|
|
+<?php |
193 |
|
|
+include("prepare.inc"); |
194 |
|
|
+ |
195 |
|
|
+$outputfile = dirname(__FILE__)."/bug54446test.txt"; |
196 |
|
|
+if (file_exists($outputfile)) { |
197 |
|
|
+ unlink($outputfile); |
198 |
|
|
+} |
199 |
|
|
+ |
200 |
|
|
+$sXsl = <<<EOT |
201 |
|
|
+<xsl:stylesheet version="1.0" |
202 |
|
|
+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform" |
203 |
|
|
+ xmlns:sax="http://icl.com/saxon" |
204 |
|
|
+ extension-element-prefixes="sax"> |
205 |
|
|
+ |
206 |
|
|
+ <xsl:template match="/"> |
207 |
|
|
+ <sax:output href="$outputfile" method="text"> |
208 |
|
|
+ <xsl:value-of select="'0wn3d via PHP and libxslt ...'"/> |
209 |
|
|
+ </sax:output> |
210 |
|
|
+ </xsl:template> |
211 |
|
|
+ |
212 |
|
|
+</xsl:stylesheet> |
213 |
|
|
+EOT; |
214 |
|
|
+ |
215 |
|
|
+$xsl->loadXML( $sXsl ); |
216 |
|
|
+ |
217 |
|
|
+# START XSLT |
218 |
|
|
+$proc->importStylesheet( $xsl ); |
219 |
|
|
+ |
220 |
|
|
+# TRASNFORM & PRINT |
221 |
|
|
+print $proc->transformToXML( $dom ); |
222 |
|
|
+ |
223 |
|
|
+ |
224 |
|
|
+if (file_exists($outputfile)) { |
225 |
|
|
+ print "$outputfile exists, but shouldn't!\n"; |
226 |
|
|
+} else { |
227 |
|
|
+ print "OK, no file created\n"; |
228 |
|
|
+} |
229 |
|
|
+ |
230 |
|
|
+#SET NO SECURITY PREFS |
231 |
|
|
+ini_set("xsl.security_prefs", XSL_SECPREF_NONE); |
232 |
|
|
+ |
233 |
|
|
+# TRASNFORM & PRINT |
234 |
|
|
+print $proc->transformToXML( $dom ); |
235 |
|
|
+ |
236 |
|
|
+ |
237 |
|
|
+if (file_exists($outputfile)) { |
238 |
|
|
+ print "OK, file exists\n"; |
239 |
|
|
+} else { |
240 |
|
|
+ print "$outputfile doesn't exist, but should!\n"; |
241 |
|
|
+} |
242 |
|
|
+ |
243 |
|
|
+unlink($outputfile); |
244 |
|
|
+ |
245 |
|
|
+#SET SECURITY PREFS AGAIN |
246 |
|
|
+ini_set("xsl.security_prefs", XSL_SECPREF_WRITE_FILE | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY); |
247 |
|
|
+ |
248 |
|
|
+# TRASNFORM & PRINT |
249 |
|
|
+print $proc->transformToXML( $dom ); |
250 |
|
|
+ |
251 |
|
|
+if (file_exists($outputfile)) { |
252 |
|
|
+ print "$outputfile exists, but shouldn't!\n"; |
253 |
|
|
+} else { |
254 |
|
|
+ print "OK, no file created\n"; |
255 |
|
|
+} |
256 |
|
|
+ |
257 |
|
|
+ |
258 |
|
|
+--EXPECTF-- |
259 |
|
|
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d |
260 |
|
|
+ |
261 |
|
|
+Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s |
262 |
|
|
+ |
263 |
|
|
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d |
264 |
|
|
+ |
265 |
|
|
+Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d |
266 |
|
|
+OK, no file created |
267 |
|
|
+OK, file exists |
268 |
|
|
+ |
269 |
|
|
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d |
270 |
|
|
+ |
271 |
|
|
+Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s |
272 |
|
|
+ |
273 |
|
|
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d |
274 |
|
|
+ |
275 |
|
|
+Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d |
276 |
|
|
+OK, no file created |
277 |
|
|
+--CREDITS-- |
278 |
|
|
+Christian Stocker, chregu@php.net |
279 |
|
|
+ |
280 |
|
|
--- php-5.3.3/ext/xsl/xsltprocessor.c.cve0057 |
281 |
|
|
+++ php-5.3.3/ext/xsl/xsltprocessor.c |
282 |
|
|
@@ -475,6 +475,9 @@ static xmlDocPtr php_xsl_apply_styleshee |
283 |
|
|
zval *doXInclude, *member; |
284 |
|
|
zend_object_handlers *std_hnd; |
285 |
|
|
FILE *f; |
286 |
|
|
+ int secPrefsError = 0; |
287 |
|
|
+ int secPrefsValue; |
288 |
|
|
+ xsltSecurityPrefsPtr secPrefs = NULL; |
289 |
|
|
|
290 |
|
|
node = php_libxml_import_node(docp TSRMLS_CC); |
291 |
|
|
|
292 |
|
|
@@ -531,11 +534,56 @@ static xmlDocPtr php_xsl_apply_styleshee |
293 |
|
|
} |
294 |
|
|
efree(member); |
295 |
|
|
|
296 |
|
|
- newdocp = xsltApplyStylesheetUser(style, doc, (const char**) params, NULL, f, ctxt); |
297 |
|
|
+ |
298 |
|
|
+ secPrefsValue = INI_INT("xsl.security_prefs"); |
299 |
|
|
+ |
300 |
|
|
+ /* if securityPrefs is set to NONE, we don't have to do any checks, but otherwise... */ |
301 |
|
|
+ if (secPrefsValue != XSL_SECPREF_NONE) { |
302 |
|
|
+ secPrefs = xsltNewSecurityPrefs(); |
303 |
|
|
+ if (secPrefsValue & XSL_SECPREF_READ_FILE ) { |
304 |
|
|
+ if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid)) { |
305 |
|
|
+ secPrefsError = 1; |
306 |
|
|
+ } |
307 |
|
|
+ } |
308 |
|
|
+ if (secPrefsValue & XSL_SECPREF_WRITE_FILE ) { |
309 |
|
|
+ if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid)) { |
310 |
|
|
+ secPrefsError = 1; |
311 |
|
|
+ } |
312 |
|
|
+ } |
313 |
|
|
+ if (secPrefsValue & XSL_SECPREF_CREATE_DIRECTORY ) { |
314 |
|
|
+ if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid)) { |
315 |
|
|
+ secPrefsError = 1; |
316 |
|
|
+ } |
317 |
|
|
+ } |
318 |
|
|
+ if (secPrefsValue & XSL_SECPREF_READ_NETWORK) { |
319 |
|
|
+ if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid)) { |
320 |
|
|
+ secPrefsError = 1; |
321 |
|
|
+ } |
322 |
|
|
+ } |
323 |
|
|
+ if (secPrefsValue & XSL_SECPREF_WRITE_NETWORK) { |
324 |
|
|
+ if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid)) { |
325 |
|
|
+ secPrefsError = 1; |
326 |
|
|
+ } |
327 |
|
|
+ } |
328 |
|
|
+ |
329 |
|
|
+ if (0 != xsltSetCtxtSecurityPrefs(secPrefs, ctxt)) { |
330 |
|
|
+ secPrefsError = 1; |
331 |
|
|
+ } |
332 |
|
|
+ } |
333 |
|
|
+ |
334 |
|
|
+ if (secPrefsError == 1) { |
335 |
|
|
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Can't set libxslt security properties, not doing transformation for security reasons"); |
336 |
|
|
+ } else { |
337 |
|
|
+ newdocp = xsltApplyStylesheetUser(style, doc, (const char**) params, NULL, f, ctxt); |
338 |
|
|
+ } |
339 |
|
|
if (f) { |
340 |
|
|
fclose(f); |
341 |
|
|
} |
342 |
|
|
+ |
343 |
|
|
xsltFreeTransformContext(ctxt); |
344 |
|
|
+ if (secPrefs) { |
345 |
|
|
+ xsltFreeSecurityPrefs(secPrefs); |
346 |
|
|
+ } |
347 |
|
|
|
348 |
|
|
if (intern->node_list != NULL) { |
349 |
|
|
zend_hash_destroy(intern->node_list); |
350 |
|
|
--- php-5.3.3/php.ini-development.cve0057 |
351 |
|
|
+++ php-5.3.3/php.ini-development |
352 |
|
|
@@ -1890,6 +1890,12 @@ ldap.max_links = -1 |
353 |
|
|
[dba] |
354 |
|
|
;dba.default_handler= |
355 |
|
|
|
356 |
|
|
+[xsl] |
357 |
|
|
+; Write operations from within XSLT are disabled by default. |
358 |
|
|
+; XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_WRITE_FILE = 44 |
359 |
|
|
+; Set it to 0 to allow all operations |
360 |
|
|
+;xsl.security_prefs = 44 |
361 |
|
|
+ |
362 |
|
|
; Local Variables: |
363 |
|
|
; tab-width: 4 |
364 |
|
|
; End: |
365 |
|
|
--- php-5.3.3/php.ini-production.cve0057 |
366 |
|
|
+++ php-5.3.3/php.ini-production |
367 |
|
|
@@ -1897,6 +1897,12 @@ ldap.max_links = -1 |
368 |
|
|
[dba] |
369 |
|
|
;dba.default_handler= |
370 |
|
|
|
371 |
|
|
+[xsl] |
372 |
|
|
+; Write operations from within XSLT are disabled by default. |
373 |
|
|
+; XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_WRITE_FILE = 44 |
374 |
|
|
+; Set it to 0 to allow all operations |
375 |
|
|
+;xsl.security_prefs = 44 |
376 |
|
|
+ |
377 |
|
|
; Local Variables: |
378 |
|
|
; tab-width: 4 |
379 |
|
|
; End: |
380 |
|
|
--- php-5.3.3/UPGRADING.cve0057 |
381 |
|
|
+++ php-5.3.3/UPGRADING |
382 |
|
|
@@ -150,6 +150,15 @@ UPGRADE NOTES - PHP 5.3 |
383 |
|
|
|
384 |
|
|
- SplObjectStorage now has ArrayAccess support. It is also now possible to |
385 |
|
|
store associative information with objects in SplObjectStorage. |
386 |
|
|
+ |
387 |
|
|
+===================== |
388 |
|
|
+4.1 New in PHP 5.3.9 |
389 |
|
|
+===================== |
390 |
|
|
+ |
391 |
|
|
+- Write operations within XSLT (for example with the extension sax:output) are |
392 |
|
|
+ disabled by default. You can define what is forbidden with the INI option |
393 |
|
|
+ xsl.security_prefs. This option will be marked as deprecated in 5.4 again. |
394 |
|
|
+ Use the method XsltProcess::setSecurityPrefs($options) there. |
395 |
|
|
|
396 |
|
|
============= |
397 |
|
|
5. Deprecated |