Edit report at https://bugs.php.net/bug.php?id=54446&edit=1
ID: 54446 Updated by: [email protected] Reported by: nicolas dot gregoire at agarri dot fr Summary: Arbitrary file creation via libxslt 'output' extension -Status: Open +Status: Closed Type: Bug Package: XSLT related Operating System: All PHP Version: 5.3.6 Assigned To: chregu Block user comment: N Private report: N Previous Comments: ------------------------------------------------------------------------ [2011-10-11 05:18:13] [email protected] This bug has been fixed in SVN. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. ------------------------------------------------------------------------ [2011-10-11 05:09:43] [email protected] It's now als in the PHP 5.3.x branch (will be in 5.3.9). We couldn't use the same approach as in PHP 5.4 due to ABI compatibility problems. We had to introduce an ini option. Here's a code example, which works in 5.3 (actually anything >= 5.0) and 5.4 for writing from within XSLT. *** $xsl = new XSLTProcessor(); //if you want to write from within the XSLT if (version_compare(PHP_VERSION,'5.4',"<")) { $oldval = ini_set("xsl.security_prefs",XSL_SECPREFS_NONE); } else { $oldval = $xsl->setSecurityPreferences(XSL_SECPREFS_NONE); } $xsl->transformToXml(...); //go back to the old setting. Better safe than sorry if (version_compare(PHP_VERSION,'5.4',"<")) { ini_set("xsl.security_prefs",$oldval); } else { $xsl->setSecurityPreferences($oldval); //or just do // $xsl = null; // to get away of this object } ------------------------------------------------------------------------ [2011-10-05 18:11:06] [email protected] Automatic comment from SVN on behalf of chregu Revision: http://svn.php.net/viewvc/?view=revision&revision=317801 Log: Added test for Bug 54446 Init a variable to a default value to avoid issues ------------------------------------------------------------------------ [2011-10-05 09:55:39] [email protected] Automatic comment from SVN on behalf of chregu Revision: http://svn.php.net/viewvc/?view=revision&revision=317759 Log: Added xsl.security_prefs ini option to define forbidden operations within XSLT stylesheets, default is not to enable write operations. This option won't be in 5.4, since there's a new method. Bug #54446 ------------------------------------------------------------------------ [2011-09-12 12:44:34] [email protected] Automatic comment from SVN on behalf of chregu Revision: http://svn.php.net/viewvc/?view=revision&revision=316530 Log: Added test for XSL bug 54446 ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=54446 -- Edit this bug report at https://bugs.php.net/bug.php?id=54446&edit=1
