Edit report at https://bugs.php.net/bug.php?id=54446&edit=1
ID: 54446 Updated by: fel...@php.net Reported by: nicolas dot gregoire at agarri dot fr Summary: Arbitrary file creation via libxslt 'output' extension -Status: Open +Status: Closed Type: Bug Package: XSLT related Operating System: All PHP Version: 5.3.6 Assigned To: chregu Block user comment: N Private report: N Previous Comments: ------------------------------------------------------------------------ [2011-10-11 05:18:13] chr...@php.net This bug has been fixed in SVN. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. ------------------------------------------------------------------------ [2011-10-11 05:09:43] chr...@php.net It's now als in the PHP 5.3.x branch (will be in 5.3.9). We couldn't use the same approach as in PHP 5.4 due to ABI compatibility problems. We had to introduce an ini option. Here's a code example, which works in 5.3 (actually anything >= 5.0) and 5.4 for writing from within XSLT. *** $xsl = new XSLTProcessor(); //if you want to write from within the XSLT if (version_compare(PHP_VERSION,'5.4',"<")) { $oldval = ini_set("xsl.security_prefs",XSL_SECPREFS_NONE); } else { $oldval = $xsl->setSecurityPreferences(XSL_SECPREFS_NONE); } $xsl->transformToXml(...); //go back to the old setting. Better safe than sorry if (version_compare(PHP_VERSION,'5.4',"<")) { ini_set("xsl.security_prefs",$oldval); } else { $xsl->setSecurityPreferences($oldval); //or just do // $xsl = null; // to get away of this object } ------------------------------------------------------------------------ [2011-10-05 18:11:06] chr...@php.net Automatic comment from SVN on behalf of chregu Revision: http://svn.php.net/viewvc/?view=revision&revision=317801 Log: Added test for Bug 54446 Init a variable to a default value to avoid issues ------------------------------------------------------------------------ [2011-10-05 09:55:39] chr...@php.net Automatic comment from SVN on behalf of chregu Revision: http://svn.php.net/viewvc/?view=revision&revision=317759 Log: Added xsl.security_prefs ini option to define forbidden operations within XSLT stylesheets, default is not to enable write operations. This option won't be in 5.4, since there's a new method. Bug #54446 ------------------------------------------------------------------------ [2011-09-12 12:44:34] chr...@php.net Automatic comment from SVN on behalf of chregu Revision: http://svn.php.net/viewvc/?view=revision&revision=316530 Log: Added test for XSL bug 54446 ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=54446 -- Edit this bug report at https://bugs.php.net/bug.php?id=54446&edit=1