/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2012-0057.patch
ViewVC logotype

Contents of /rpms/php/sme8/php-5.3.3-CVE-2012-0057.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1.2.1 - (show annotations) (download)
Fri Jun 29 14:45:08 2012 UTC (12 years, 5 months ago) by slords
Branch: redhat-upstream
CVS Tags: php-5_3_3-13_el5_9_1, php-5_3_3-13_el6
Changes since 1.1: +397 -0 lines
Upstream import

1
2 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0057
3
4 http://git.php.net/?p=php-src.git;a=commitdiff;h=b2287a42a0dfd8fe392051d8f25531051cd86322
5 http://git.php.net/?p=php-src.git;a=commitdiff;h=192511f75d915c723384da17b6ca265971727132
6 http://git.php.net/?p=php-src.git;a=commitdiff;h=c9b5d92821db7335632f8578871e2b75ac018f2a
7 http://git.php.net/?p=php-src.git;a=commitdiff;h=777a29fce22a741fedb69c83c3e7c2129372ee0e
8
9 --- php-5.3.3/ext/xsl/php_xsl.c.cve0057
10 +++ php-5.3.3/ext/xsl/php_xsl.c
11 @@ -141,6 +141,13 @@ zend_object_value xsl_objects_new(zend_c
12 }
13 /* }}} */
14
15 +PHP_INI_BEGIN()
16 +/* Default is not allowing any write operations.
17 + XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_WRITE_FILE == 44
18 +*/
19 +PHP_INI_ENTRY("xsl.security_prefs", "44", PHP_INI_ALL, NULL)
20 +PHP_INI_END()
21 +
22 /* {{{ PHP_MINIT_FUNCTION
23 */
24 PHP_MINIT_FUNCTION(xsl)
25 @@ -167,6 +174,14 @@ PHP_MINIT_FUNCTION(xsl)
26 REGISTER_LONG_CONSTANT("XSL_CLONE_NEVER", -1, CONST_CS | CONST_PERSISTENT);
27 REGISTER_LONG_CONSTANT("XSL_CLONE_ALWAYS", 1, CONST_CS | CONST_PERSISTENT);
28
29 + REGISTER_LONG_CONSTANT("XSL_SECPREF_NONE", XSL_SECPREF_NONE, CONST_CS | CONST_PERSISTENT);
30 + REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_FILE", XSL_SECPREF_READ_FILE, CONST_CS | CONST_PERSISTENT);
31 + REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_FILE", XSL_SECPREF_WRITE_FILE, CONST_CS | CONST_PERSISTENT);
32 + REGISTER_LONG_CONSTANT("XSL_SECPREF_CREATE_DIRECTORY", XSL_SECPREF_CREATE_DIRECTORY, CONST_CS | CONST_PERSISTENT);
33 + REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_NETWORK", XSL_SECPREF_READ_NETWORK, CONST_CS | CONST_PERSISTENT);
34 + REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_NETWORK", XSL_SECPREF_WRITE_NETWORK, CONST_CS | CONST_PERSISTENT);
35 + REGISTER_LONG_CONSTANT("XSL_SECPREF_DEFAULT", XSL_SECPREF_DEFAULT, CONST_CS | CONST_PERSISTENT);
36 +
37 REGISTER_LONG_CONSTANT("LIBXSLT_VERSION", LIBXSLT_VERSION, CONST_CS | CONST_PERSISTENT);
38 REGISTER_STRING_CONSTANT("LIBXSLT_DOTTED_VERSION", LIBXSLT_DOTTED_VERSION, CONST_CS | CONST_PERSISTENT);
39
40 @@ -175,6 +190,8 @@ PHP_MINIT_FUNCTION(xsl)
41 REGISTER_STRING_CONSTANT("LIBEXSLT_DOTTED_VERSION", LIBEXSLT_DOTTED_VERSION, CONST_CS | CONST_PERSISTENT);
42 #endif
43
44 + REGISTER_INI_ENTRIES();
45 +
46 return SUCCESS;
47 }
48 /* }}} */
49 @@ -258,6 +275,8 @@ PHP_MSHUTDOWN_FUNCTION(xsl)
50
51 xsltCleanupGlobals();
52
53 + UNREGISTER_INI_ENTRIES();
54 +
55 return SUCCESS;
56 }
57 /* }}} */
58 --- php-5.3.3/ext/xsl/php_xsl.h.cve0057
59 +++ php-5.3.3/ext/xsl/php_xsl.h
60 @@ -32,6 +32,7 @@ extern zend_module_entry xsl_module_entr
61 #include <libxslt/xsltInternals.h>
62 #include <libxslt/xsltutils.h>
63 #include <libxslt/transform.h>
64 +#include <libxslt/security.h>
65 #if HAVE_XSL_EXSLT
66 #include <libexslt/exslt.h>
67 #include <libexslt/exsltconfig.h>
68 @@ -43,6 +44,15 @@ extern zend_module_entry xsl_module_entr
69 #include <libxslt/extensions.h>
70 #include <libxml/xpathInternals.h>
71
72 +#define XSL_SECPREF_NONE 0
73 +#define XSL_SECPREF_READ_FILE 2
74 +#define XSL_SECPREF_WRITE_FILE 4
75 +#define XSL_SECPREF_CREATE_DIRECTORY 8
76 +#define XSL_SECPREF_READ_NETWORK 16
77 +#define XSL_SECPREF_WRITE_NETWORK 32
78 +/* Default == disable all write access == XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_FILE */
79 +#define XSL_SECPREF_DEFAULT 44
80 +
81 typedef struct _xsl_object {
82 zend_object std;
83 void *ptr;
84 --- php-5.3.3/ext/xsl/tests/bug54446.phpt.cve0057
85 +++ php-5.3.3/ext/xsl/tests/bug54446.phpt
86 @@ -0,0 +1,95 @@
87 +--TEST--
88 +Bug #54446 (Arbitrary file creation via libxslt 'output' extension)
89 +--SKIPIF--
90 +<?php
91 +if (!extension_loaded('xsl')) die("skip Extension XSL is required\n");
92 +?>
93 +--FILE--
94 +<?php
95 +include("prepare.inc");
96 +
97 +$outputfile = dirname(__FILE__)."/bug54446test.txt";
98 +if (file_exists($outputfile)) {
99 + unlink($outputfile);
100 +}
101 +
102 +$sXsl = <<<EOT
103 +<xsl:stylesheet version="1.0"
104 + xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
105 + xmlns:sax="http://icl.com/saxon"
106 + extension-element-prefixes="sax">
107 +
108 + <xsl:template match="/">
109 + <sax:output href="$outputfile" method="text">
110 + <xsl:value-of select="'0wn3d via PHP and libxslt ...'"/>
111 + </sax:output>
112 + </xsl:template>
113 +
114 +</xsl:stylesheet>
115 +EOT;
116 +
117 +$xsl->loadXML( $sXsl );
118 +
119 +# START XSLT
120 +$proc->importStylesheet( $xsl );
121 +
122 +# TRASNFORM & PRINT
123 +print $proc->transformToXML( $dom );
124 +
125 +
126 +if (file_exists($outputfile)) {
127 + print "$outputfile exists, but shouldn't!\n";
128 +} else {
129 + print "OK, no file created\n";
130 +}
131 +
132 +#SET NO SECURITY PREFS
133 +ini_set("xsl.security_prefs", XSL_SECPREF_NONE);
134 +
135 +# TRASNFORM & PRINT
136 +print $proc->transformToXML( $dom );
137 +
138 +
139 +if (file_exists($outputfile)) {
140 + print "OK, file exists\n";
141 +} else {
142 + print "$outputfile doesn't exist, but should!\n";
143 +}
144 +
145 +unlink($outputfile);
146 +
147 +#SET SECURITY PREFS AGAIN
148 +ini_set("xsl.security_prefs", XSL_SECPREF_WRITE_FILE | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY);
149 +
150 +# TRASNFORM & PRINT
151 +print $proc->transformToXML( $dom );
152 +
153 +if (file_exists($outputfile)) {
154 + print "$outputfile exists, but shouldn't!\n";
155 +} else {
156 + print "OK, no file created\n";
157 +}
158 +
159 +
160 +--EXPECTF--
161 +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
162 +
163 +Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
164 +
165 +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
166 +
167 +Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
168 +OK, no file created
169 +OK, file exists
170 +
171 +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
172 +
173 +Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
174 +
175 +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
176 +
177 +Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
178 +OK, no file created
179 +--CREDITS--
180 +Christian Stocker, chregu@php.net
181 +
182 --- php-5.3.3/ext/xsl/tests/bug54446_with_ini.phpt.cve0057
183 +++ php-5.3.3/ext/xsl/tests/bug54446_with_ini.phpt
184 @@ -0,0 +1,95 @@
185 +--TEST--
186 +Bug #54446 (Arbitrary file creation via libxslt 'output' extension with php.ini setting)
187 +--SKIPIF--
188 +<?php
189 +if (!extension_loaded('xsl')) die("skip Extension XSL is required\n");
190 +?>
191 +--FILE--
192 +<?php
193 +include("prepare.inc");
194 +
195 +$outputfile = dirname(__FILE__)."/bug54446test.txt";
196 +if (file_exists($outputfile)) {
197 + unlink($outputfile);
198 +}
199 +
200 +$sXsl = <<<EOT
201 +<xsl:stylesheet version="1.0"
202 + xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
203 + xmlns:sax="http://icl.com/saxon"
204 + extension-element-prefixes="sax">
205 +
206 + <xsl:template match="/">
207 + <sax:output href="$outputfile" method="text">
208 + <xsl:value-of select="'0wn3d via PHP and libxslt ...'"/>
209 + </sax:output>
210 + </xsl:template>
211 +
212 +</xsl:stylesheet>
213 +EOT;
214 +
215 +$xsl->loadXML( $sXsl );
216 +
217 +# START XSLT
218 +$proc->importStylesheet( $xsl );
219 +
220 +# TRASNFORM & PRINT
221 +print $proc->transformToXML( $dom );
222 +
223 +
224 +if (file_exists($outputfile)) {
225 + print "$outputfile exists, but shouldn't!\n";
226 +} else {
227 + print "OK, no file created\n";
228 +}
229 +
230 +#SET NO SECURITY PREFS
231 +ini_set("xsl.security_prefs", XSL_SECPREF_NONE);
232 +
233 +# TRASNFORM & PRINT
234 +print $proc->transformToXML( $dom );
235 +
236 +
237 +if (file_exists($outputfile)) {
238 + print "OK, file exists\n";
239 +} else {
240 + print "$outputfile doesn't exist, but should!\n";
241 +}
242 +
243 +unlink($outputfile);
244 +
245 +#SET SECURITY PREFS AGAIN
246 +ini_set("xsl.security_prefs", XSL_SECPREF_WRITE_FILE | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY);
247 +
248 +# TRASNFORM & PRINT
249 +print $proc->transformToXML( $dom );
250 +
251 +if (file_exists($outputfile)) {
252 + print "$outputfile exists, but shouldn't!\n";
253 +} else {
254 + print "OK, no file created\n";
255 +}
256 +
257 +
258 +--EXPECTF--
259 +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
260 +
261 +Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
262 +
263 +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
264 +
265 +Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
266 +OK, no file created
267 +OK, file exists
268 +
269 +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
270 +
271 +Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
272 +
273 +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
274 +
275 +Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
276 +OK, no file created
277 +--CREDITS--
278 +Christian Stocker, chregu@php.net
279 +
280 --- php-5.3.3/ext/xsl/xsltprocessor.c.cve0057
281 +++ php-5.3.3/ext/xsl/xsltprocessor.c
282 @@ -475,6 +475,9 @@ static xmlDocPtr php_xsl_apply_styleshee
283 zval *doXInclude, *member;
284 zend_object_handlers *std_hnd;
285 FILE *f;
286 + int secPrefsError = 0;
287 + int secPrefsValue;
288 + xsltSecurityPrefsPtr secPrefs = NULL;
289
290 node = php_libxml_import_node(docp TSRMLS_CC);
291
292 @@ -531,11 +534,56 @@ static xmlDocPtr php_xsl_apply_styleshee
293 }
294 efree(member);
295
296 - newdocp = xsltApplyStylesheetUser(style, doc, (const char**) params, NULL, f, ctxt);
297 +
298 + secPrefsValue = INI_INT("xsl.security_prefs");
299 +
300 + /* if securityPrefs is set to NONE, we don't have to do any checks, but otherwise... */
301 + if (secPrefsValue != XSL_SECPREF_NONE) {
302 + secPrefs = xsltNewSecurityPrefs();
303 + if (secPrefsValue & XSL_SECPREF_READ_FILE ) {
304 + if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid)) {
305 + secPrefsError = 1;
306 + }
307 + }
308 + if (secPrefsValue & XSL_SECPREF_WRITE_FILE ) {
309 + if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid)) {
310 + secPrefsError = 1;
311 + }
312 + }
313 + if (secPrefsValue & XSL_SECPREF_CREATE_DIRECTORY ) {
314 + if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid)) {
315 + secPrefsError = 1;
316 + }
317 + }
318 + if (secPrefsValue & XSL_SECPREF_READ_NETWORK) {
319 + if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid)) {
320 + secPrefsError = 1;
321 + }
322 + }
323 + if (secPrefsValue & XSL_SECPREF_WRITE_NETWORK) {
324 + if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid)) {
325 + secPrefsError = 1;
326 + }
327 + }
328 +
329 + if (0 != xsltSetCtxtSecurityPrefs(secPrefs, ctxt)) {
330 + secPrefsError = 1;
331 + }
332 + }
333 +
334 + if (secPrefsError == 1) {
335 + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Can't set libxslt security properties, not doing transformation for security reasons");
336 + } else {
337 + newdocp = xsltApplyStylesheetUser(style, doc, (const char**) params, NULL, f, ctxt);
338 + }
339 if (f) {
340 fclose(f);
341 }
342 +
343 xsltFreeTransformContext(ctxt);
344 + if (secPrefs) {
345 + xsltFreeSecurityPrefs(secPrefs);
346 + }
347
348 if (intern->node_list != NULL) {
349 zend_hash_destroy(intern->node_list);
350 --- php-5.3.3/php.ini-development.cve0057
351 +++ php-5.3.3/php.ini-development
352 @@ -1890,6 +1890,12 @@ ldap.max_links = -1
353 [dba]
354 ;dba.default_handler=
355
356 +[xsl]
357 +; Write operations from within XSLT are disabled by default.
358 +; XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_WRITE_FILE = 44
359 +; Set it to 0 to allow all operations
360 +;xsl.security_prefs = 44
361 +
362 ; Local Variables:
363 ; tab-width: 4
364 ; End:
365 --- php-5.3.3/php.ini-production.cve0057
366 +++ php-5.3.3/php.ini-production
367 @@ -1897,6 +1897,12 @@ ldap.max_links = -1
368 [dba]
369 ;dba.default_handler=
370
371 +[xsl]
372 +; Write operations from within XSLT are disabled by default.
373 +; XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_WRITE_FILE = 44
374 +; Set it to 0 to allow all operations
375 +;xsl.security_prefs = 44
376 +
377 ; Local Variables:
378 ; tab-width: 4
379 ; End:
380 --- php-5.3.3/UPGRADING.cve0057
381 +++ php-5.3.3/UPGRADING
382 @@ -150,6 +150,15 @@ UPGRADE NOTES - PHP 5.3
383
384 - SplObjectStorage now has ArrayAccess support. It is also now possible to
385 store associative information with objects in SplObjectStorage.
386 +
387 +=====================
388 +4.1 New in PHP 5.3.9
389 +=====================
390 +
391 +- Write operations within XSLT (for example with the extension sax:output) are
392 + disabled by default. You can define what is forbidden with the INI option
393 + xsl.security_prefs. This option will be marked as deprecated in 5.4 again.
394 + Use the method XsltProcess::setSecurityPrefs($options) there.
395
396 =============
397 5. Deprecated

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed