Edit report at https://bugs.php.net/bug.php?id=54446&edit=1
ID: 54446
Updated by: fel...@php.net
Reported by: nicolas dot gregoire at agarri dot fr
Summary: Arbitrary file creation via libxslt 'output'
extension
-Status: Open
+Status: Closed
Type: Bug
Package: XSLT related
Operating System: All
PHP Version: 5.3.6
Assigned To: chregu
Block user comment: N
Private report: N
Previous Comments:
------------------------------------------------------------------------
[2011-10-11 05:18:13] chr...@php.net
This bug has been fixed in SVN.
Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
Thank you for the report, and for helping us make PHP better.
------------------------------------------------------------------------
[2011-10-11 05:09:43] chr...@php.net
It's now als in the PHP 5.3.x branch (will be in 5.3.9). We couldn't use the
same approach as in PHP 5.4 due to ABI compatibility problems. We had to
introduce an ini option. Here's a code example, which works in 5.3 (actually
anything >= 5.0) and 5.4 for writing from within XSLT.
***
$xsl = new XSLTProcessor();
//if you want to write from within the XSLT
if (version_compare(PHP_VERSION,'5.4',"<")) {
$oldval = ini_set("xsl.security_prefs",XSL_SECPREFS_NONE);
} else {
$oldval = $xsl->setSecurityPreferences(XSL_SECPREFS_NONE);
}
$xsl->transformToXml(...);
//go back to the old setting. Better safe than sorry
if (version_compare(PHP_VERSION,'5.4',"<")) {
ini_set("xsl.security_prefs",$oldval);
} else {
$xsl->setSecurityPreferences($oldval);
//or just do
// $xsl = null;
// to get away of this object
}
------------------------------------------------------------------------
[2011-10-05 18:11:06] chr...@php.net
Automatic comment from SVN on behalf of chregu
Revision: http://svn.php.net/viewvc/?view=revision&revision=317801
Log: Added test for Bug 54446
Init a variable to a default value to avoid issues
------------------------------------------------------------------------
[2011-10-05 09:55:39] chr...@php.net
Automatic comment from SVN on behalf of chregu
Revision: http://svn.php.net/viewvc/?view=revision&revision=317759
Log: Added xsl.security_prefs ini option to define forbidden operations within
XSLT
stylesheets, default is not to enable write operations. This option won't be
in 5.4, since there's a new method. Bug #54446
------------------------------------------------------------------------
[2011-09-12 12:44:34] chr...@php.net
Automatic comment from SVN on behalf of chregu
Revision: http://svn.php.net/viewvc/?view=revision&revision=316530
Log: Added test for XSL bug 54446
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=54446
--
Edit this bug report at https://bugs.php.net/bug.php?id=54446&edit=1
