mirror of
https://github.com/php/php-src.git
synced 2024-09-22 10:27:25 +00:00
Added the xsl.security_prefs option to 5_4 and trunk and
mark it as deprecated for BC-reasons Added tests for ini option and combination of both
This commit is contained in:
parent
92039e00b0
commit
777a29fce2
@ -153,6 +153,15 @@ UPGRADE NOTES - PHP 5.3
|
||||
|
||||
- SplObjectStorage now has ArrayAccess support. It is also now possible to
|
||||
store associative information with objects in SplObjectStorage.
|
||||
|
||||
=====================
|
||||
4.1 New in PHP 5.3.9
|
||||
=====================
|
||||
|
||||
- Write operations within XSLT (for example with the extension sax:output) are
|
||||
disabled by default. You can define what is forbidden with the INI option
|
||||
xsl.security_prefs. This option will be marked as deprecated in 5.4 again.
|
||||
Use the method XsltProcess::setSecurityPrefs($options) there.
|
||||
|
||||
=============
|
||||
5. Deprecated
|
||||
|
@ -180,6 +180,7 @@ PHP_MINIT_FUNCTION(xsl)
|
||||
REGISTER_LONG_CONSTANT("XSL_SECPREF_CREATE_DIRECTORY", XSL_SECPREF_CREATE_DIRECTORY, CONST_CS | CONST_PERSISTENT);
|
||||
REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_NETWORK", XSL_SECPREF_READ_NETWORK, CONST_CS | CONST_PERSISTENT);
|
||||
REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_NETWORK", XSL_SECPREF_WRITE_NETWORK, CONST_CS | CONST_PERSISTENT);
|
||||
REGISTER_LONG_CONSTANT("XSL_SECPREF_DEFAULT", XSL_SECPREF_DEFAULT, CONST_CS | CONST_PERSISTENT);
|
||||
|
||||
REGISTER_LONG_CONSTANT("LIBXSLT_VERSION", LIBXSLT_VERSION, CONST_CS | CONST_PERSISTENT);
|
||||
REGISTER_STRING_CONSTANT("LIBXSLT_DOTTED_VERSION", LIBXSLT_DOTTED_VERSION, CONST_CS | CONST_PERSISTENT);
|
||||
|
@ -50,6 +50,8 @@ extern zend_module_entry xsl_module_entry;
|
||||
#define XSL_SECPREF_CREATE_DIRECTORY 8
|
||||
#define XSL_SECPREF_READ_NETWORK 16
|
||||
#define XSL_SECPREF_WRITE_NETWORK 32
|
||||
/* Default == disable all write access == XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_FILE */
|
||||
#define XSL_SECPREF_DEFAULT 44
|
||||
|
||||
typedef struct _xsl_object {
|
||||
zend_object std;
|
||||
|
@ -1,5 +1,5 @@
|
||||
--TEST--
|
||||
Bug #54446 (Arbitrary file creation via libxslt 'output' extension)
|
||||
Bug #54446 (Arbitrary file creation via libxslt 'output' extension with php.ini setting)
|
||||
--SKIPIF--
|
||||
<?php
|
||||
if (!extension_loaded('xsl')) die("skip Extension XSL is required\n");
|
@ -476,7 +476,7 @@ static xmlDocPtr php_xsl_apply_stylesheet(zval *id, xsl_object *intern, xsltStyl
|
||||
zend_object_handlers *std_hnd;
|
||||
FILE *f;
|
||||
int secPrefsError = 0;
|
||||
int secPrefsIni;
|
||||
int secPrefsValue;
|
||||
xsltSecurityPrefsPtr secPrefs = NULL;
|
||||
|
||||
node = php_libxml_import_node(docp TSRMLS_CC);
|
||||
@ -535,32 +535,32 @@ static xmlDocPtr php_xsl_apply_stylesheet(zval *id, xsl_object *intern, xsltStyl
|
||||
efree(member);
|
||||
|
||||
|
||||
secPrefsIni = INI_INT("xsl.security_prefs");
|
||||
secPrefsValue = INI_INT("xsl.security_prefs");
|
||||
|
||||
//if securityPrefs is set to NONE, we don't have to do any checks, but otherwise...
|
||||
if (secPrefsIni != XSL_SECPREF_NONE) {
|
||||
/* if securityPrefs is set to NONE, we don't have to do any checks, but otherwise... */
|
||||
if (secPrefsValue != XSL_SECPREF_NONE) {
|
||||
secPrefs = xsltNewSecurityPrefs();
|
||||
if (secPrefsIni & XSL_SECPREF_READ_FILE ) {
|
||||
if (secPrefsValue & XSL_SECPREF_READ_FILE ) {
|
||||
if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid)) {
|
||||
secPrefsError = 1;
|
||||
}
|
||||
}
|
||||
if (secPrefsIni & XSL_SECPREF_WRITE_FILE ) {
|
||||
if (secPrefsValue & XSL_SECPREF_WRITE_FILE ) {
|
||||
if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid)) {
|
||||
secPrefsError = 1;
|
||||
}
|
||||
}
|
||||
if (secPrefsIni & XSL_SECPREF_CREATE_DIRECTORY ) {
|
||||
if (secPrefsValue & XSL_SECPREF_CREATE_DIRECTORY ) {
|
||||
if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid)) {
|
||||
secPrefsError = 1;
|
||||
}
|
||||
}
|
||||
if (secPrefsIni & XSL_SECPREF_READ_NETWORK) {
|
||||
if (secPrefsValue & XSL_SECPREF_READ_NETWORK) {
|
||||
if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid)) {
|
||||
secPrefsError = 1;
|
||||
}
|
||||
}
|
||||
if (secPrefsIni & XSL_SECPREF_WRITE_NETWORK) {
|
||||
if (secPrefsValue & XSL_SECPREF_WRITE_NETWORK) {
|
||||
if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid)) {
|
||||
secPrefsError = 1;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user