php/sme8/php-5.3.3-CVE-2012-0057.patch


https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0057

http://git.php.net/?p=php-src.git;a=commitdiff;h=b2287a42a0dfd8fe392051d8f25531051cd86322
http://git.php.net/?p=php-src.git;a=commitdiff;h=192511f75d915c723384da17b6ca265971727132
http://git.php.net/?p=php-src.git;a=commitdiff;h=c9b5d92821db7335632f8578871e2b75ac018f2a
http://git.php.net/?p=php-src.git;a=commitdiff;h=777a29fce22a741fedb69c83c3e7c2129372ee0e

--- php-5.3.3/ext/xsl/php_xsl.c.cve0057
+++ php-5.3.3/ext/xsl/php_xsl.c
@@ -141,6 +141,13 @@ zend_object_value xsl_objects_new(zend_c
 }
 /* }}} */
 
+PHP_INI_BEGIN()
+/* Default is not allowing any write operations. 
+   XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_WRITE_FILE == 44 
+*/
+PHP_INI_ENTRY("xsl.security_prefs", "44", PHP_INI_ALL, NULL)
+PHP_INI_END()
+
 /* {{{ PHP_MINIT_FUNCTION
  */
 PHP_MINIT_FUNCTION(xsl)
@@ -167,6 +174,14 @@ PHP_MINIT_FUNCTION(xsl)
        REGISTER_LONG_CONSTANT("XSL_CLONE_NEVER",    -1,     CONST_CS | CONST_PERSISTENT);
        REGISTER_LONG_CONSTANT("XSL_CLONE_ALWAYS",    1,     CONST_CS | CONST_PERSISTENT);
 
+       REGISTER_LONG_CONSTANT("XSL_SECPREF_NONE",             XSL_SECPREF_NONE,             CONST_CS | CONST_PERSISTENT);
+       REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_FILE",        XSL_SECPREF_READ_FILE,        CONST_CS | CONST_PERSISTENT);
+       REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_FILE",       XSL_SECPREF_WRITE_FILE,       CONST_CS | CONST_PERSISTENT);
+       REGISTER_LONG_CONSTANT("XSL_SECPREF_CREATE_DIRECTORY", XSL_SECPREF_CREATE_DIRECTORY, CONST_CS | CONST_PERSISTENT);
+       REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_NETWORK",     XSL_SECPREF_READ_NETWORK,     CONST_CS | CONST_PERSISTENT);
+       REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_NETWORK",    XSL_SECPREF_WRITE_NETWORK,    CONST_CS | CONST_PERSISTENT);
+       REGISTER_LONG_CONSTANT("XSL_SECPREF_DEFAULT",          XSL_SECPREF_DEFAULT,          CONST_CS | CONST_PERSISTENT);
+
        REGISTER_LONG_CONSTANT("LIBXSLT_VERSION",           LIBXSLT_VERSION,            CONST_CS | CONST_PERSISTENT);
        REGISTER_STRING_CONSTANT("LIBXSLT_DOTTED_VERSION",  LIBXSLT_DOTTED_VERSION,     CONST_CS | CONST_PERSISTENT);
 
@@ -175,6 +190,8 @@ PHP_MINIT_FUNCTION(xsl)
        REGISTER_STRING_CONSTANT("LIBEXSLT_DOTTED_VERSION",  LIBEXSLT_DOTTED_VERSION,     CONST_CS | CONST_PERSISTENT);
 #endif
 
+    REGISTER_INI_ENTRIES();
+
        return SUCCESS;
 }
 /* }}} */
@@ -258,6 +275,8 @@ PHP_MSHUTDOWN_FUNCTION(xsl)
 
        xsltCleanupGlobals();
 
+       UNREGISTER_INI_ENTRIES();
+
        return SUCCESS;
 }
 /* }}} */
--- php-5.3.3/ext/xsl/php_xsl.h.cve0057
+++ php-5.3.3/ext/xsl/php_xsl.h
@@ -32,6 +32,7 @@ extern zend_module_entry xsl_module_entr
 #include <libxslt/xsltInternals.h>
 #include <libxslt/xsltutils.h>
 #include <libxslt/transform.h>
+#include <libxslt/security.h> 
 #if HAVE_XSL_EXSLT
 #include <libexslt/exslt.h>
 #include <libexslt/exsltconfig.h>
@@ -43,6 +44,15 @@ extern zend_module_entry xsl_module_entr
 #include <libxslt/extensions.h>
 #include <libxml/xpathInternals.h>
 
+#define XSL_SECPREF_NONE 0
+#define XSL_SECPREF_READ_FILE 2
+#define XSL_SECPREF_WRITE_FILE 4
+#define XSL_SECPREF_CREATE_DIRECTORY 8
+#define XSL_SECPREF_READ_NETWORK 16
+#define XSL_SECPREF_WRITE_NETWORK 32
+/* Default == disable all write access ==  XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_FILE */
+#define XSL_SECPREF_DEFAULT 44
+
 typedef struct _xsl_object {
        zend_object  std;
        void *ptr;
--- php-5.3.3/ext/xsl/tests/bug54446.phpt.cve0057
+++ php-5.3.3/ext/xsl/tests/bug54446.phpt
@@ -0,0 +1,95 @@
+--TEST--
+Bug #54446 (Arbitrary file creation via libxslt 'output' extension)
+--SKIPIF--
+<?php
+if (!extension_loaded('xsl')) die("skip Extension XSL is required\n");
+?>
+--FILE--
+<?php
+include("prepare.inc"); 
+
+$outputfile = dirname(__FILE__)."/bug54446test.txt";
+if (file_exists($outputfile)) {
+    unlink($outputfile);
+}
+
+$sXsl = <<<EOT
+<xsl:stylesheet version="1.0"
+       xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+       xmlns:sax="http://icl.com/saxon"
+       extension-element-prefixes="sax">
+
+       <xsl:template match="/">
+               <sax:output href="$outputfile" method="text">
+                       <xsl:value-of select="'0wn3d via PHP and libxslt ...'"/>
+               </sax:output>
+       </xsl:template>
+
+</xsl:stylesheet>
+EOT;
+
+$xsl->loadXML( $sXsl );
+
+# START XSLT 
+$proc->importStylesheet( $xsl ); 
+
+# TRASNFORM & PRINT 
+print $proc->transformToXML( $dom ); 
+
+
+if (file_exists($outputfile)) {
+    print "$outputfile exists, but shouldn't!\n";
+} else {
+    print "OK, no file created\n";
+}
+
+#SET NO SECURITY PREFS
+ini_set("xsl.security_prefs", XSL_SECPREF_NONE);
+
+# TRASNFORM & PRINT 
+print $proc->transformToXML( $dom ); 
+
+
+if (file_exists($outputfile)) {
+    print "OK, file exists\n";
+} else {
+    print "$outputfile doesn't exist, but should!\n";
+}
+
+unlink($outputfile);
+
+#SET SECURITY PREFS AGAIN
+ini_set("xsl.security_prefs", XSL_SECPREF_WRITE_FILE |  XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY);
+
+# TRASNFORM & PRINT 
+print $proc->transformToXML( $dom ); 
+
+if (file_exists($outputfile)) {
+    print "$outputfile exists, but shouldn't!\n";
+} else {
+    print "OK, no file created\n";
+}
+
+
+--EXPECTF--
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
+
+Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
+
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
+
+Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
+OK, no file created
+OK, file exists
+
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
+
+Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
+
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
+
+Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
+OK, no file created
+--CREDITS--
+Christian Stocker, chregu@php.net
+
--- php-5.3.3/ext/xsl/tests/bug54446_with_ini.phpt.cve0057
+++ php-5.3.3/ext/xsl/tests/bug54446_with_ini.phpt
@@ -0,0 +1,95 @@
+--TEST--
+Bug #54446 (Arbitrary file creation via libxslt 'output' extension with php.ini setting)
+--SKIPIF--
+<?php
+if (!extension_loaded('xsl')) die("skip Extension XSL is required\n");
+?>
+--FILE--
+<?php
+include("prepare.inc"); 
+
+$outputfile = dirname(__FILE__)."/bug54446test.txt";
+if (file_exists($outputfile)) {
+    unlink($outputfile);
+}
+
+$sXsl = <<<EOT
+<xsl:stylesheet version="1.0"
+       xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+       xmlns:sax="http://icl.com/saxon"
+       extension-element-prefixes="sax">
+
+       <xsl:template match="/">
+               <sax:output href="$outputfile" method="text">
+                       <xsl:value-of select="'0wn3d via PHP and libxslt ...'"/>
+               </sax:output>
+       </xsl:template>
+
+</xsl:stylesheet>
+EOT;
+
+$xsl->loadXML( $sXsl );
+
+# START XSLT 
+$proc->importStylesheet( $xsl ); 
+
+# TRASNFORM & PRINT 
+print $proc->transformToXML( $dom ); 
+
+
+if (file_exists($outputfile)) {
+    print "$outputfile exists, but shouldn't!\n";
+} else {
+    print "OK, no file created\n";
+}
+
+#SET NO SECURITY PREFS
+ini_set("xsl.security_prefs", XSL_SECPREF_NONE);
+
+# TRASNFORM & PRINT 
+print $proc->transformToXML( $dom ); 
+
+
+if (file_exists($outputfile)) {
+    print "OK, file exists\n";
+} else {
+    print "$outputfile doesn't exist, but should!\n";
+}
+
+unlink($outputfile);
+
+#SET SECURITY PREFS AGAIN
+ini_set("xsl.security_prefs", XSL_SECPREF_WRITE_FILE |  XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY);
+
+# TRASNFORM & PRINT 
+print $proc->transformToXML( $dom ); 
+
+if (file_exists($outputfile)) {
+    print "$outputfile exists, but shouldn't!\n";
+} else {
+    print "OK, no file created\n";
+}
+
+
+--EXPECTF--
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
+
+Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
+
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
+
+Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
+OK, no file created
+OK, file exists
+
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
+
+Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
+
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
+
+Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
+OK, no file created
+--CREDITS--
+Christian Stocker, chregu@php.net
+
--- php-5.3.3/ext/xsl/xsltprocessor.c.cve0057
+++ php-5.3.3/ext/xsl/xsltprocessor.c
@@ -475,6 +475,9 @@ static xmlDocPtr php_xsl_apply_styleshee
        zval *doXInclude, *member;
        zend_object_handlers *std_hnd;
        FILE *f;
+       int secPrefsError = 0;
+       int secPrefsValue;
+       xsltSecurityPrefsPtr secPrefs = NULL;
 
        node = php_libxml_import_node(docp TSRMLS_CC);
        
@@ -531,11 +534,56 @@ static xmlDocPtr php_xsl_apply_styleshee
        }
        efree(member);
 
-       newdocp = xsltApplyStylesheetUser(style, doc, (const char**) params,  NULL, f, ctxt);
+       
+       secPrefsValue = INI_INT("xsl.security_prefs");
+       
+       /* if securityPrefs is set to NONE, we don't have to do any checks, but otherwise... */
+       if (secPrefsValue != XSL_SECPREF_NONE) {
+               secPrefs = xsltNewSecurityPrefs(); 
+               if (secPrefsValue & XSL_SECPREF_READ_FILE ) { 
+                       if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid)) { 
+                               secPrefsError = 1;
+                       }
+               }
+               if (secPrefsValue & XSL_SECPREF_WRITE_FILE ) { 
+                       if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid)) { 
+                               secPrefsError = 1;
+                       }
+               }
+               if (secPrefsValue & XSL_SECPREF_CREATE_DIRECTORY ) { 
+                       if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid)) { 
+                               secPrefsError = 1;
+                       }
+               }
+               if (secPrefsValue & XSL_SECPREF_READ_NETWORK) { 
+                       if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid)) { 
+                               secPrefsError = 1;
+                       }
+               }
+               if (secPrefsValue & XSL_SECPREF_WRITE_NETWORK) { 
+                       if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid)) { 
+                               secPrefsError = 1;
+                       }
+               }
+       
+               if (0 != xsltSetCtxtSecurityPrefs(secPrefs, ctxt)) { 
+                       secPrefsError = 1;
+               }
+       }
+       
+       if (secPrefsError == 1) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Can't set libxslt security properties, not doing transformation for security reasons");
+       } else {
+               newdocp = xsltApplyStylesheetUser(style, doc, (const char**) params,  NULL, f, ctxt);
+       }
        if (f) {
                fclose(f);
        }
+       
        xsltFreeTransformContext(ctxt);
+       if (secPrefs) {
+               xsltFreeSecurityPrefs(secPrefs);
+       }
 
        if (intern->node_list != NULL) {
                zend_hash_destroy(intern->node_list);
--- php-5.3.3/php.ini-development.cve0057
+++ php-5.3.3/php.ini-development
@@ -1890,6 +1890,12 @@ ldap.max_links = -1
 [dba]
 ;dba.default_handler=
 
+[xsl]
+; Write operations from within XSLT are disabled by default.
+; XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_WRITE_FILE = 44
+; Set it to 0 to allow all operations
+;xsl.security_prefs = 44
+
 ; Local Variables:
 ; tab-width: 4
 ; End:
--- php-5.3.3/php.ini-production.cve0057
+++ php-5.3.3/php.ini-production
@@ -1897,6 +1897,12 @@ ldap.max_links = -1
 [dba]
 ;dba.default_handler=
 
+[xsl]
+; Write operations from within XSLT are disabled by default.
+; XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_WRITE_FILE = 44
+; Set it to 0 to allow all operations
+;xsl.security_prefs = 44
+
 ; Local Variables:
 ; tab-width: 4
 ; End:
--- php-5.3.3/UPGRADING.cve0057
+++ php-5.3.3/UPGRADING
@@ -150,6 +150,15 @@ UPGRADE NOTES - PHP 5.3
 
 - SplObjectStorage now has ArrayAccess support. It is also now possible to
   store associative information with objects in SplObjectStorage.
+  
+=====================
+4.1 New in PHP 5.3.9
+=====================
+
+- Write operations within XSLT (for example with the extension sax:output) are
+  disabled by default. You can define what is forbidden with the INI option
+  xsl.security_prefs. This option will be marked as deprecated in 5.4 again. 
+  Use the method XsltProcess::setSecurityPrefs($options) there.
 
 =============
 5. Deprecated
1
2	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0057
3
4	http://git.php.net/?p=php-src.git;a=commitdiff;h=b2287a42a0dfd8fe392051d8f25531051cd86322
5	http://git.php.net/?p=php-src.git;a=commitdiff;h=192511f75d915c723384da17b6ca265971727132
6	http://git.php.net/?p=php-src.git;a=commitdiff;h=c9b5d92821db7335632f8578871e2b75ac018f2a
7	http://git.php.net/?p=php-src.git;a=commitdiff;h=777a29fce22a741fedb69c83c3e7c2129372ee0e
8
9	--- php-5.3.3/ext/xsl/php_xsl.c.cve0057
10	+++ php-5.3.3/ext/xsl/php_xsl.c
11	@@ -141,6 +141,13 @@ zend_object_value xsl_objects_new(zend_c
12	}
13	/* }}} */
14
15	+PHP_INI_BEGIN()
16	+/* Default is not allowing any write operations.
17	+ XSL_SECPREF_CREATE_DIRECTORY \| XSL_SECPREF_WRITE_NETWORK \| XSL_SECPREF_WRITE_FILE == 44
18	+*/
19	+PHP_INI_ENTRY("xsl.security_prefs", "44", PHP_INI_ALL, NULL)
20	+PHP_INI_END()
21	+
22	/* {{{ PHP_MINIT_FUNCTION
23	*/
24	PHP_MINIT_FUNCTION(xsl)
25	@@ -167,6 +174,14 @@ PHP_MINIT_FUNCTION(xsl)
26	REGISTER_LONG_CONSTANT("XSL_CLONE_NEVER", -1, CONST_CS \| CONST_PERSISTENT);
27	REGISTER_LONG_CONSTANT("XSL_CLONE_ALWAYS", 1, CONST_CS \| CONST_PERSISTENT);
28
29	+ REGISTER_LONG_CONSTANT("XSL_SECPREF_NONE", XSL_SECPREF_NONE, CONST_CS \| CONST_PERSISTENT);
30	+ REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_FILE", XSL_SECPREF_READ_FILE, CONST_CS \| CONST_PERSISTENT);
31	+ REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_FILE", XSL_SECPREF_WRITE_FILE, CONST_CS \| CONST_PERSISTENT);
32	+ REGISTER_LONG_CONSTANT("XSL_SECPREF_CREATE_DIRECTORY", XSL_SECPREF_CREATE_DIRECTORY, CONST_CS \| CONST_PERSISTENT);
33	+ REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_NETWORK", XSL_SECPREF_READ_NETWORK, CONST_CS \| CONST_PERSISTENT);
34	+ REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_NETWORK", XSL_SECPREF_WRITE_NETWORK, CONST_CS \| CONST_PERSISTENT);
35	+ REGISTER_LONG_CONSTANT("XSL_SECPREF_DEFAULT", XSL_SECPREF_DEFAULT, CONST_CS \| CONST_PERSISTENT);
36	+
37	REGISTER_LONG_CONSTANT("LIBXSLT_VERSION", LIBXSLT_VERSION, CONST_CS \| CONST_PERSISTENT);
38	REGISTER_STRING_CONSTANT("LIBXSLT_DOTTED_VERSION", LIBXSLT_DOTTED_VERSION, CONST_CS \| CONST_PERSISTENT);
39
40	@@ -175,6 +190,8 @@ PHP_MINIT_FUNCTION(xsl)
41	REGISTER_STRING_CONSTANT("LIBEXSLT_DOTTED_VERSION", LIBEXSLT_DOTTED_VERSION, CONST_CS \| CONST_PERSISTENT);
42	#endif
43
44	+ REGISTER_INI_ENTRIES();
45	+
46	return SUCCESS;
47	}
48	/* }}} */
49	@@ -258,6 +275,8 @@ PHP_MSHUTDOWN_FUNCTION(xsl)
50
51	xsltCleanupGlobals();
52
53	+ UNREGISTER_INI_ENTRIES();
54	+
55	return SUCCESS;
56	}
57	/* }}} */
58	--- php-5.3.3/ext/xsl/php_xsl.h.cve0057
59	+++ php-5.3.3/ext/xsl/php_xsl.h
60	@@ -32,6 +32,7 @@ extern zend_module_entry xsl_module_entr
61	#include <libxslt/xsltInternals.h>
62	#include <libxslt/xsltutils.h>
63	#include <libxslt/transform.h>
64	+#include <libxslt/security.h>
65	#if HAVE_XSL_EXSLT
66	#include <libexslt/exslt.h>
67	#include <libexslt/exsltconfig.h>
68	@@ -43,6 +44,15 @@ extern zend_module_entry xsl_module_entr
69	#include <libxslt/extensions.h>
70	#include <libxml/xpathInternals.h>
71
72	+#define XSL_SECPREF_NONE 0
73	+#define XSL_SECPREF_READ_FILE 2
74	+#define XSL_SECPREF_WRITE_FILE 4
75	+#define XSL_SECPREF_CREATE_DIRECTORY 8
76	+#define XSL_SECPREF_READ_NETWORK 16
77	+#define XSL_SECPREF_WRITE_NETWORK 32
78	+/* Default == disable all write access == XSL_SECPREF_WRITE_NETWORK \| XSL_SECPREF_CREATE_DIRECTORY \| XSL_SECPREF_WRITE_FILE */
79	+#define XSL_SECPREF_DEFAULT 44
80	+
81	typedef struct _xsl_object {
82	zend_object std;
83	void *ptr;
84	--- php-5.3.3/ext/xsl/tests/bug54446.phpt.cve0057
85	+++ php-5.3.3/ext/xsl/tests/bug54446.phpt
86	@@ -0,0 +1,95 @@
87	+--TEST--
88	+Bug #54446 (Arbitrary file creation via libxslt 'output' extension)
89	+--SKIPIF--
90	+<?php
91	+if (!extension_loaded('xsl')) die("skip Extension XSL is required\n");
92	+?>
93	+--FILE--
94	+<?php
95	+include("prepare.inc");
96	+
97	+$outputfile = dirname(__FILE__)."/bug54446test.txt";
98	+if (file_exists($outputfile)) {
99	+ unlink($outputfile);
100	+}
101	+
102	+$sXsl = <<<EOT
103	+<xsl:stylesheet version="1.0"
104	+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
105	+ xmlns:sax="http://icl.com/saxon"
106	+ extension-element-prefixes="sax">
107	+
108	+ <xsl:template match="/">
109	+ <sax:output href="$outputfile" method="text">
110	+ <xsl:value-of select="'0wn3d via PHP and libxslt ...'"/>
111	+ </sax:output>
112	+ </xsl:template>
113	+
114	+</xsl:stylesheet>
115	+EOT;
116	+
117	+$xsl->loadXML( $sXsl );
118	+
119	+# START XSLT
120	+$proc->importStylesheet( $xsl );
121	+
122	+# TRASNFORM & PRINT
123	+print $proc->transformToXML( $dom );
124	+
125	+
126	+if (file_exists($outputfile)) {
127	+ print "$outputfile exists, but shouldn't!\n";
128	+} else {
129	+ print "OK, no file created\n";
130	+}
131	+
132	+#SET NO SECURITY PREFS
133	+ini_set("xsl.security_prefs", XSL_SECPREF_NONE);
134	+
135	+# TRASNFORM & PRINT
136	+print $proc->transformToXML( $dom );
137	+
138	+
139	+if (file_exists($outputfile)) {
140	+ print "OK, file exists\n";
141	+} else {
142	+ print "$outputfile doesn't exist, but should!\n";
143	+}
144	+
145	+unlink($outputfile);
146	+
147	+#SET SECURITY PREFS AGAIN
148	+ini_set("xsl.security_prefs", XSL_SECPREF_WRITE_FILE \| XSL_SECPREF_WRITE_NETWORK \| XSL_SECPREF_CREATE_DIRECTORY);
149	+
150	+# TRASNFORM & PRINT
151	+print $proc->transformToXML( $dom );
152	+
153	+if (file_exists($outputfile)) {
154	+ print "$outputfile exists, but shouldn't!\n";
155	+} else {
156	+ print "OK, no file created\n";
157	+}
158	+
159	+
160	+--EXPECTF--
161	+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
162	+
163	+Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
164	+
165	+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
166	+
167	+Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
168	+OK, no file created
169	+OK, file exists
170	+
171	+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
172	+
173	+Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
174	+
175	+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
176	+
177	+Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
178	+OK, no file created
179	+--CREDITS--
180	+Christian Stocker, chregu@php.net
181	+
182	--- php-5.3.3/ext/xsl/tests/bug54446_with_ini.phpt.cve0057
183	+++ php-5.3.3/ext/xsl/tests/bug54446_with_ini.phpt
184	@@ -0,0 +1,95 @@
185	+--TEST--
186	+Bug #54446 (Arbitrary file creation via libxslt 'output' extension with php.ini setting)
187	+--SKIPIF--
188	+<?php
189	+if (!extension_loaded('xsl')) die("skip Extension XSL is required\n");
190	+?>
191	+--FILE--
192	+<?php
193	+include("prepare.inc");
194	+
195	+$outputfile = dirname(__FILE__)."/bug54446test.txt";
196	+if (file_exists($outputfile)) {
197	+ unlink($outputfile);
198	+}
199	+
200	+$sXsl = <<<EOT
201	+<xsl:stylesheet version="1.0"
202	+ xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
203	+ xmlns:sax="http://icl.com/saxon"
204	+ extension-element-prefixes="sax">
205	+
206	+ <xsl:template match="/">
207	+ <sax:output href="$outputfile" method="text">
208	+ <xsl:value-of select="'0wn3d via PHP and libxslt ...'"/>
209	+ </sax:output>
210	+ </xsl:template>
211	+
212	+</xsl:stylesheet>
213	+EOT;
214	+
215	+$xsl->loadXML( $sXsl );
216	+
217	+# START XSLT
218	+$proc->importStylesheet( $xsl );
219	+
220	+# TRASNFORM & PRINT
221	+print $proc->transformToXML( $dom );
222	+
223	+
224	+if (file_exists($outputfile)) {
225	+ print "$outputfile exists, but shouldn't!\n";
226	+} else {
227	+ print "OK, no file created\n";
228	+}
229	+
230	+#SET NO SECURITY PREFS
231	+ini_set("xsl.security_prefs", XSL_SECPREF_NONE);
232	+
233	+# TRASNFORM & PRINT
234	+print $proc->transformToXML( $dom );
235	+
236	+
237	+if (file_exists($outputfile)) {
238	+ print "OK, file exists\n";
239	+} else {
240	+ print "$outputfile doesn't exist, but should!\n";
241	+}
242	+
243	+unlink($outputfile);
244	+
245	+#SET SECURITY PREFS AGAIN
246	+ini_set("xsl.security_prefs", XSL_SECPREF_WRITE_FILE \| XSL_SECPREF_WRITE_NETWORK \| XSL_SECPREF_CREATE_DIRECTORY);
247	+
248	+# TRASNFORM & PRINT
249	+print $proc->transformToXML( $dom );
250	+
251	+if (file_exists($outputfile)) {
252	+ print "$outputfile exists, but shouldn't!\n";
253	+} else {
254	+ print "OK, no file created\n";
255	+}
256	+
257	+
258	+--EXPECTF--
259	+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
260	+
261	+Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
262	+
263	+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
264	+
265	+Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
266	+OK, no file created
267	+OK, file exists
268	+
269	+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
270	+
271	+Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
272	+
273	+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
274	+
275	+Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
276	+OK, no file created
277	+--CREDITS--
278	+Christian Stocker, chregu@php.net
279	+
280	--- php-5.3.3/ext/xsl/xsltprocessor.c.cve0057
281	+++ php-5.3.3/ext/xsl/xsltprocessor.c
282	@@ -475,6 +475,9 @@ static xmlDocPtr php_xsl_apply_styleshee
283	zval doXInclude, member;
284	zend_object_handlers *std_hnd;
285	FILE *f;
286	+ int secPrefsError = 0;
287	+ int secPrefsValue;
288	+ xsltSecurityPrefsPtr secPrefs = NULL;
289
290	node = php_libxml_import_node(docp TSRMLS_CC);
291
292	@@ -531,11 +534,56 @@ static xmlDocPtr php_xsl_apply_styleshee
293	}
294	efree(member);
295
296	- newdocp = xsltApplyStylesheetUser(style, doc, (const char**) params, NULL, f, ctxt);
297	+
298	+ secPrefsValue = INI_INT("xsl.security_prefs");
299	+
300	+ /* if securityPrefs is set to NONE, we don't have to do any checks, but otherwise... */
301	+ if (secPrefsValue != XSL_SECPREF_NONE) {
302	+ secPrefs = xsltNewSecurityPrefs();
303	+ if (secPrefsValue & XSL_SECPREF_READ_FILE ) {
304	+ if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid)) {
305	+ secPrefsError = 1;
306	+ }
307	+ }
308	+ if (secPrefsValue & XSL_SECPREF_WRITE_FILE ) {
309	+ if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid)) {
310	+ secPrefsError = 1;
311	+ }
312	+ }
313	+ if (secPrefsValue & XSL_SECPREF_CREATE_DIRECTORY ) {
314	+ if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid)) {
315	+ secPrefsError = 1;
316	+ }
317	+ }
318	+ if (secPrefsValue & XSL_SECPREF_READ_NETWORK) {
319	+ if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid)) {
320	+ secPrefsError = 1;
321	+ }
322	+ }
323	+ if (secPrefsValue & XSL_SECPREF_WRITE_NETWORK) {
324	+ if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid)) {
325	+ secPrefsError = 1;
326	+ }
327	+ }
328	+
329	+ if (0 != xsltSetCtxtSecurityPrefs(secPrefs, ctxt)) {
330	+ secPrefsError = 1;
331	+ }
332	+ }
333	+
334	+ if (secPrefsError == 1) {
335	+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Can't set libxslt security properties, not doing transformation for security reasons");
336	+ } else {
337	+ newdocp = xsltApplyStylesheetUser(style, doc, (const char**) params, NULL, f, ctxt);
338	+ }
339	if (f) {
340	fclose(f);
341	}
342	+
343	xsltFreeTransformContext(ctxt);
344	+ if (secPrefs) {
345	+ xsltFreeSecurityPrefs(secPrefs);
346	+ }
347
348	if (intern->node_list != NULL) {
349	zend_hash_destroy(intern->node_list);
350	--- php-5.3.3/php.ini-development.cve0057
351	+++ php-5.3.3/php.ini-development
352	@@ -1890,6 +1890,12 @@ ldap.max_links = -1
353	[dba]
354	;dba.default_handler=
355
356	+[xsl]
357	+; Write operations from within XSLT are disabled by default.
358	+; XSL_SECPREF_CREATE_DIRECTORY \| XSL_SECPREF_WRITE_NETWORK \| XSL_SECPREF_WRITE_FILE = 44
359	+; Set it to 0 to allow all operations
360	+;xsl.security_prefs = 44
361	+
362	; Local Variables:
363	; tab-width: 4
364	; End:
365	--- php-5.3.3/php.ini-production.cve0057
366	+++ php-5.3.3/php.ini-production
367	@@ -1897,6 +1897,12 @@ ldap.max_links = -1
368	[dba]
369	;dba.default_handler=
370
371	+[xsl]
372	+; Write operations from within XSLT are disabled by default.
373	+; XSL_SECPREF_CREATE_DIRECTORY \| XSL_SECPREF_WRITE_NETWORK \| XSL_SECPREF_WRITE_FILE = 44
374	+; Set it to 0 to allow all operations
375	+;xsl.security_prefs = 44
376	+
377	; Local Variables:
378	; tab-width: 4
379	; End:
380	--- php-5.3.3/UPGRADING.cve0057
381	+++ php-5.3.3/UPGRADING
382	@@ -150,6 +150,15 @@ UPGRADE NOTES - PHP 5.3
383
384	- SplObjectStorage now has ArrayAccess support. It is also now possible to
385	store associative information with objects in SplObjectStorage.
386	+
387	+=====================
388	+4.1 New in PHP 5.3.9
389	+=====================
390	+
391	+- Write operations within XSLT (for example with the extension sax:output) are
392	+ disabled by default. You can define what is forbidden with the INI option
393	+ xsl.security_prefs. This option will be marked as deprecated in 5.4 again.
394	+ Use the method XsltProcess::setSecurityPrefs($options) there.
395
396	=============
397	5. Deprecated