Hi again
I just had the idea for a 4th option. Won't be less controversy, but
it's backwards and forwards compatible.
4) use a php ini setting in PHP 5.3
I know, we try to avoid that as much as possible. BUT
* It will only be in 5.3, not even committed to 5.4
* If you don't have the ini setting, your XSLT can't write files, the
error will be pretty obvious. If you just read and transform, nothing
will or has to change
* Only a very very very small fraction will need to set this ini setting
The code for enable writing again, which would work in 5.0 - 5.4+ looks
like this. With my first proposal, I'd need much more if/else to make my
code work on 5.3.8-/5.3.9+/5.4+
***
$xsl = new XSLTProcessor();
//if you want to write from within the XSLT
$oldvalini = ini_set("xsl_security_prefs",XSL_SECPREFS_NONE);
if (version_compare(PHP_VERSION,'5.4',">=")) {
$oldval = $xsl->setSecurityPreferences(XSL_SECPREFS_NONE);
}
$xsl->transformToXml(...);
//go back to the old setting. Better safe than sorry
ini_set("xsl_security_prefs",$oldvalini);
if (version_compare(PHP_VERSION,'5.4',">=")) {
$xsl->setSecurityPreferences($oldval);
}
***
chregu
On 26.09.11 19:59, Christian Stocker wrote:
> Hi
>
> Some weeks ago I wrote a patch to disable writing from within XSLT
> templates. That patch is now in 5.4 but wasn't accepted in PHP 5.3 since
> it changed a struct in the header file.
>
> I have now I new patch which doesn't need that changing in the struct,
> but I need a new .h file from libxslt.
>
> https://gist.github.com/3d3d3c3418236f748118 (unfinished patch, just a
> proof of concept, but the basics are there)
>
> Can anybody tell me, if that still breaks binary compatibility for
> extensions or if that would be ok?
>
> Then a more general question:
>
> There are now 2 ways to enable write access again (in 5.4). Via an
> additional optional parameter to the transform methods (this works with
> the patch above in 5.3 also) or via the new 5.4 only method
> ->setSecurityPrefs(). The former is from a clean API point of view not
> nice, adding more and more optional parameters to methods is the ticket
> to hell usually. But I can't come up with a better solution for 5.3
> without breaking the ABI. And since it's somehow a security issue, I
> would sleep better a lot, if we have a proper patch for 5.3 as well.
>
> To keep BC, I can't just delete the optional parameter again for 5.4,
> that would make portable code a pain. OTOH, the way I did it know, it
> breaks BC with PHP < 5.3.9, if you want to enable write access in xslt
> templates in PHP 5.3.9+. If you don't need that, which is maybe 99.9% of
> all cases, BC is kept for since PHP 5.0 until much after PHP 5.4 :)
>
> So there are 3 options
>
> 1) leave it like it is currently. No write protection in 5.3, only in 5.4
> 2) Have 2 ways to enable write access from 5.3.9+ and 5.4.
> 3) Remove the ->setSecurityPrefs() in 5.4, so there's only one way to
> enable write access again, but it's the nasty one from a clean API POV.
>
> For 2) and 3), code with those new options won't work anymore in 5.3.8-
> (but you can check it in PHP user land and treat it differently), but
> you get write protection automatically
>
> Again, all this will only affect a very small fraction of users, those
> who legitimately wrote files from within XSLT.
>
> Any opinions? Me personally would like to have it in PHP 5.3 (or at
> least offer a proper patch).
>
> chregu
>
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
