Edit report at https://bugs.php.net/bug.php?id=54446&edit=1
ID: 54446
Comment by: daniel at dnaielcraig dot me
Reported by: nicolas dot gregoire at agarri dot fr
Summary: Arbitrary file creation via libxslt 'output'
extension
Status: Closed
Type: Bug
Package: XSLT related
Operating System: All
PHP Version: 5.3.6
Assigned To: chregu
Block user comment: N
Private report: N
CVE-ID: 2012-0057
New Comment:
Since the fix for this came through debian repos (today) i'm getting the error:
Warning: XSLTProcessor::transformToXml(): Can't set libxslt security
properties, not doing transformation for security reasons
Previous Comments:
------------------------------------------------------------------------
[2011-10-11 05:18:13] [email protected]
This bug has been fixed in SVN.
Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
Thank you for the report, and for helping us make PHP better.
------------------------------------------------------------------------
[2011-10-11 05:09:43] [email protected]
It's now als in the PHP 5.3.x branch (will be in 5.3.9). We couldn't use the
same approach as in PHP 5.4 due to ABI compatibility problems. We had to
introduce an ini option. Here's a code example, which works in 5.3 (actually
anything >= 5.0) and 5.4 for writing from within XSLT.
***
$xsl = new XSLTProcessor();
//if you want to write from within the XSLT
if (version_compare(PHP_VERSION,'5.4',"<")) {
$oldval = ini_set("xsl.security_prefs",XSL_SECPREFS_NONE);
} else {
$oldval = $xsl->setSecurityPreferences(XSL_SECPREFS_NONE);
}
$xsl->transformToXml(...);
//go back to the old setting. Better safe than sorry
if (version_compare(PHP_VERSION,'5.4',"<")) {
ini_set("xsl.security_prefs",$oldval);
} else {
$xsl->setSecurityPreferences($oldval);
//or just do
// $xsl = null;
// to get away of this object
}
------------------------------------------------------------------------
[2011-10-05 18:11:06] [email protected]
Automatic comment from SVN on behalf of chregu
Revision: http://svn.php.net/viewvc/?view=revision&revision=317801
Log: Added test for Bug 54446
Init a variable to a default value to avoid issues
------------------------------------------------------------------------
[2011-10-05 09:55:39] [email protected]
Automatic comment from SVN on behalf of chregu
Revision: http://svn.php.net/viewvc/?view=revision&revision=317759
Log: Added xsl.security_prefs ini option to define forbidden operations within
XSLT
stylesheets, default is not to enable write operations. This option won't be
in 5.4, since there's a new method. Bug #54446
------------------------------------------------------------------------
[2011-09-12 12:44:34] [email protected]
Automatic comment from SVN on behalf of chregu
Revision: http://svn.php.net/viewvc/?view=revision&revision=316530
Log: Added test for XSL bug 54446
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=54446
--
Edit this bug report at https://bugs.php.net/bug.php?id=54446&edit=1
