Edit report at https://bugs.php.net/bug.php?id=54446&edit=1

 ID:                 54446
 Updated by:         chr...@php.net
 Reported by:        nicolas dot gregoire at agarri dot fr
 Summary:            Arbitrary file creation via libxslt 'output'
                     extension
-Status:             To be documented
+Status:             Closed
 Type:               Bug
 Package:            XSLT related
 Operating System:   All
 PHP Version:        5.3.6
-Assigned To:        
+Assigned To:        chregu
 Block user comment: N
 Private report:     N

 New Comment:

It's now als in the PHP 5.3.x branch (will be in 5.3.9). We couldn't use the 
same approach as in PHP 5.4 due to ABI compatibility problems. We had to 
introduce an ini option. Here's a code example, which works in 5.3 (actually 
anything >= 5.0) and 5.4 for writing from within XSLT. 


***
$xsl = new XSLTProcessor();

//if you want to write from within the XSLT
if (version_compare(PHP_VERSION,'5.4',"<")) {
    $oldval = ini_set("xsl.security_prefs",XSL_SECPREFS_NONE);
} else {
    $oldval = $xsl->setSecurityPreferences(XSL_SECPREFS_NONE);
}

$xsl->transformToXml(...);

//go back to the old setting. Better safe than sorry
if (version_compare(PHP_VERSION,'5.4',"<")) {
    ini_set("xsl.security_prefs",$oldval);
} else {
    $xsl->setSecurityPreferences($oldval);
    //or just do
    // $xsl = null;
    // to get away of this object
}


Previous Comments:
------------------------------------------------------------------------
[2011-10-05 18:11:06] chr...@php.net

Automatic comment from SVN on behalf of chregu
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=317801
Log: Added test for Bug 54446
Init a variable to a default value to avoid issues

------------------------------------------------------------------------
[2011-10-05 09:55:39] chr...@php.net

Automatic comment from SVN on behalf of chregu
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=317759
Log: Added xsl.security_prefs ini option to define forbidden operations within 
XSLT
stylesheets, default is not to enable write operations. This option won't be
in 5.4, since there's a new method. Bug #54446

------------------------------------------------------------------------
[2011-09-12 12:44:34] chr...@php.net

Automatic comment from SVN on behalf of chregu
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=316530
Log: Added test for XSL bug 54446

------------------------------------------------------------------------
[2011-07-12 00:58:35] chr...@php.net

Automatic comment from SVN on behalf of chregu
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=313160
Log: Added XsltProcessor::setSecurityPrefs($options) and getSecurityPrefs()
to define forbidden operations within XSLT stylesheets, default is not to
enable any write operations from XSLT anymore. Bug #54446

(second iteration of the code for trunk, first commit for 5.4 branch)

------------------------------------------------------------------------
[2011-07-11 07:18:22] chr...@php.net

This is now fixed in trunk and therefore 5.4

------------------------------------------------------------------------


The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at

    https://bugs.php.net/bug.php?id=54446


-- 
Edit this bug report at https://bugs.php.net/bug.php?id=54446&edit=1

Reply via email to