Imported Upstream version 5.3.9upstream/5.3.9

9 files changed, 284 insertions, 16 deletions

diff --git a/ext/xsl/php_xsl.c b/ext/xsl/php_xsl.c
index b484303d5..e14da5cbe 100644
--- a/ext/xsl/php_xsl.c
+++ b/ext/xsl/php_xsl.c
@@ -2,7 +2,7 @@
   +----------------------------------------------------------------------+
   | PHP Version 5                                                        |
   +----------------------------------------------------------------------+
-  | Copyright (c) 1997-2011 The PHP Group                                |
+  | Copyright (c) 1997-2012 The PHP Group                                |
   +----------------------------------------------------------------------+
   | This source file is subject to version 3.01 of the PHP license,      |
   | that is bundled with this package in the file LICENSE, and is        |
@@ -16,7 +16,7 @@
   +----------------------------------------------------------------------+
 */
 
-/* $Id: php_xsl.c 314376 2011-08-06 14:47:44Z felipe $ */
+/* $Id: php_xsl.c 321634 2012-01-01 13:15:04Z felipe $ */
 
 #ifdef HAVE_CONFIG_H
 #include "config.h"
@@ -141,6 +141,13 @@ zend_object_value xsl_objects_new(zend_class_entry *class_type TSRMLS_DC)
 }
 /* }}} */
 
+PHP_INI_BEGIN()
+/* Default is not allowing any write operations. 
+   XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_WRITE_FILE == 44 
+*/
+PHP_INI_ENTRY("xsl.security_prefs", "44", PHP_INI_ALL, NULL)
+PHP_INI_END()
+
 /* {{{ PHP_MINIT_FUNCTION
  */
 PHP_MINIT_FUNCTION(xsl)
@@ -167,6 +174,14 @@ PHP_MINIT_FUNCTION(xsl)
 	REGISTER_LONG_CONSTANT("XSL_CLONE_NEVER",    -1,     CONST_CS | CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT("XSL_CLONE_ALWAYS",    1,     CONST_CS | CONST_PERSISTENT);
 
+	REGISTER_LONG_CONSTANT("XSL_SECPREF_NONE",             XSL_SECPREF_NONE,             CONST_CS | CONST_PERSISTENT);
+	REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_FILE",        XSL_SECPREF_READ_FILE,        CONST_CS | CONST_PERSISTENT);
+	REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_FILE",       XSL_SECPREF_WRITE_FILE,       CONST_CS | CONST_PERSISTENT);
+	REGISTER_LONG_CONSTANT("XSL_SECPREF_CREATE_DIRECTORY", XSL_SECPREF_CREATE_DIRECTORY, CONST_CS | CONST_PERSISTENT);
+	REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_NETWORK",     XSL_SECPREF_READ_NETWORK,     CONST_CS | CONST_PERSISTENT);
+	REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_NETWORK",    XSL_SECPREF_WRITE_NETWORK,    CONST_CS | CONST_PERSISTENT);
+	REGISTER_LONG_CONSTANT("XSL_SECPREF_DEFAULT",          XSL_SECPREF_DEFAULT,          CONST_CS | CONST_PERSISTENT);
+
 	REGISTER_LONG_CONSTANT("LIBXSLT_VERSION",           LIBXSLT_VERSION,            CONST_CS | CONST_PERSISTENT);
 	REGISTER_STRING_CONSTANT("LIBXSLT_DOTTED_VERSION",  LIBXSLT_DOTTED_VERSION,     CONST_CS | CONST_PERSISTENT);
 
@@ -175,6 +190,8 @@ PHP_MINIT_FUNCTION(xsl)
 	REGISTER_STRING_CONSTANT("LIBEXSLT_DOTTED_VERSION",  LIBEXSLT_DOTTED_VERSION,     CONST_CS | CONST_PERSISTENT);
 #endif
 
+    REGISTER_INI_ENTRIES();
+
 	return SUCCESS;
 }
 /* }}} */
@@ -258,6 +275,8 @@ PHP_MSHUTDOWN_FUNCTION(xsl)
 
 	xsltCleanupGlobals();
 
+	UNREGISTER_INI_ENTRIES();
+
 	return SUCCESS;
 }
 /* }}} */
diff --git a/ext/xsl/php_xsl.h b/ext/xsl/php_xsl.h
index 09238b2ff..d8597c18d 100644
--- a/ext/xsl/php_xsl.h
+++ b/ext/xsl/php_xsl.h
@@ -2,7 +2,7 @@
   +----------------------------------------------------------------------+
   | PHP Version 5                                                        |
   +----------------------------------------------------------------------+
-  | Copyright (c) 1997-2011 The PHP Group                                |
+  | Copyright (c) 1997-2012 The PHP Group                                |
   +----------------------------------------------------------------------+
   | This source file is subject to version 3.01 of the PHP license,      |
   | that is bundled with this package in the file LICENSE, and is        |
@@ -16,7 +16,7 @@
   +----------------------------------------------------------------------+
 */
 
-/* $Id: php_xsl.h 306939 2011-01-01 02:19:59Z felipe $ */
+/* $Id: php_xsl.h 321634 2012-01-01 13:15:04Z felipe $ */
 
 #ifndef PHP_XSL_H
 #define PHP_XSL_H
@@ -32,6 +32,7 @@ extern zend_module_entry xsl_module_entry;
 #include <libxslt/xsltInternals.h>
 #include <libxslt/xsltutils.h>
 #include <libxslt/transform.h>
+#include <libxslt/security.h> 
 #if HAVE_XSL_EXSLT
 #include <libexslt/exslt.h>
 #include <libexslt/exsltconfig.h>
@@ -43,6 +44,15 @@ extern zend_module_entry xsl_module_entry;
 #include <libxslt/extensions.h>
 #include <libxml/xpathInternals.h>
 
+#define XSL_SECPREF_NONE 0
+#define XSL_SECPREF_READ_FILE 2
+#define XSL_SECPREF_WRITE_FILE 4
+#define XSL_SECPREF_CREATE_DIRECTORY 8
+#define XSL_SECPREF_READ_NETWORK 16
+#define XSL_SECPREF_WRITE_NETWORK 32
+/* Default == disable all write access ==  XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_FILE */
+#define XSL_SECPREF_DEFAULT 44
+
 typedef struct _xsl_object {
 	zend_object  std;
 	void *ptr;
diff --git a/ext/xsl/tests/bug54446_with_ini.phpt b/ext/xsl/tests/bug54446_with_ini.phpt
new file mode 100644
index 000000000..31cd1d43b
--- /dev/null
+++ b/ext/xsl/tests/bug54446_with_ini.phpt
@@ -0,0 +1,95 @@
+--TEST--
+Bug #54446 (Arbitrary file creation via libxslt 'output' extension with php.ini setting)
+--SKIPIF--
+<?php
+if (!extension_loaded('xsl')) die("skip Extension XSL is required\n");
+?>
+--FILE--
+<?php
+include("prepare.inc"); 
+
+$outputfile = dirname(__FILE__)."/bug54446test.txt";
+if (file_exists($outputfile)) {
+    unlink($outputfile);
+}
+
+$sXsl = <<<EOT
+<xsl:stylesheet version="1.0"
+	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+	xmlns:sax="http://icl.com/saxon"
+	extension-element-prefixes="sax">
+
+	<xsl:template match="/">
+		<sax:output href="$outputfile" method="text">
+			<xsl:value-of select="'0wn3d via PHP and libxslt ...'"/>
+		</sax:output>
+	</xsl:template>
+
+</xsl:stylesheet>
+EOT;
+
+$xsl->loadXML( $sXsl );
+
+# START XSLT 
+$proc->importStylesheet( $xsl ); 
+
+# TRASNFORM & PRINT 
+print $proc->transformToXML( $dom ); 
+
+
+if (file_exists($outputfile)) {
+    print "$outputfile exists, but shouldn't!\n";
+} else {
+    print "OK, no file created\n";
+}
+
+#SET NO SECURITY PREFS
+ini_set("xsl.security_prefs", XSL_SECPREF_NONE);
+
+# TRASNFORM & PRINT 
+print $proc->transformToXML( $dom ); 
+
+
+if (file_exists($outputfile)) {
+    print "OK, file exists\n";
+} else {
+    print "$outputfile doesn't exist, but should!\n";
+}
+
+unlink($outputfile);
+
+#SET SECURITY PREFS AGAIN
+ini_set("xsl.security_prefs", XSL_SECPREF_WRITE_FILE |  XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY);
+
+# TRASNFORM & PRINT 
+print $proc->transformToXML( $dom ); 
+
+if (file_exists($outputfile)) {
+    print "$outputfile exists, but shouldn't!\n";
+} else {
+    print "OK, no file created\n";
+}
+
+
+--EXPECTF--
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
+
+Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
+
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
+
+Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
+OK, no file created
+OK, file exists
+
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
+
+Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s
+
+Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
+
+Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
+OK, no file created
+--CREDITS--
+Christian Stocker, chregu@php.net
+
diff --git a/ext/xsl/tests/exslt.xml b/ext/xsl/tests/exslt.xml
index 54913c6f5..562e08e82 100644
--- a/ext/xsl/tests/exslt.xml
+++ b/ext/xsl/tests/exslt.xml
@@ -6,4 +6,10 @@
   <date date="2000-02-29"/>
   <date date="9990001-12-31Z"/>
   <date date="-0004-02-29"/>
+  <date date="1999-01-02"/>
+  <date date="1999-01-03"/>
+  <date date="2004-01-01"/>
+  <date date="2006-01-01"/>
+  <date date="2007-12-31"/>
 </page>
+
diff --git a/ext/xsl/tests/xslt010.phpt b/ext/xsl/tests/xslt010.phpt
index 75729c270..96ef8c627 100644
--- a/ext/xsl/tests/xslt010.phpt
+++ b/ext/xsl/tests/xslt010.phpt
@@ -30,7 +30,7 @@ Test 10: EXSLT Support
     month-in-year        : 12
     month-name           : December
     month-abbreviation   : Dec
-    week-in-year         : 53
+    week-in-year         : 1
     day-in-year          : 365
     day-in-month         : 31
     day-of-week-in-month : 5
@@ -84,7 +84,7 @@ Test 10: EXSLT Support
     month-in-year        : 12
     month-name           : December
     month-abbreviation   : Dec
-    week-in-year         : 53
+    week-in-year         : 1
     day-in-year          : 365
     day-in-month         : 31
     day-of-week-in-month : 5
@@ -102,7 +102,7 @@ Test 10: EXSLT Support
     month-in-year        : 2
     month-name           : February
     month-abbreviation   : Feb
-    week-in-year         : 10
+    week-in-year         : 9
     day-in-year          : 60
     day-in-month         : 29
     day-of-week-in-month : 5
@@ -113,4 +113,94 @@ Test 10: EXSLT Support
     hour-in-day          : NaN
     minute-in-hour       : NaN
     second-in-minute     : NaN
+  
+  Test Date : 1999-01-02
+    year                 : 1999
+    leap-year            : false
+    month-in-year        : 1
+    month-name           : January
+    month-abbreviation   : Jan
+    week-in-year         : 53
+    day-in-year          : 2
+    day-in-month         : 2
+    day-of-week-in-month : 1
+    day-in-week          : 7
+    day-name             : Saturday
+    day-abbreviation     : Sat
+    time                 : 
+    hour-in-day          : NaN
+    minute-in-hour       : NaN
+    second-in-minute     : NaN
+  
+  Test Date : 1999-01-03
+    year                 : 1999
+    leap-year            : false
+    month-in-year        : 1
+    month-name           : January
+    month-abbreviation   : Jan
+    week-in-year         : 53
+    day-in-year          : 3
+    day-in-month         : 3
+    day-of-week-in-month : 1
+    day-in-week          : 1
+    day-name             : Sunday
+    day-abbreviation     : Sun
+    time                 : 
+    hour-in-day          : NaN
+    minute-in-hour       : NaN
+    second-in-minute     : NaN
+  
+  Test Date : 2004-01-01
+    year                 : 2004
+    leap-year            : true
+    month-in-year        : 1
+    month-name           : January
+    month-abbreviation   : Jan
+    week-in-year         : 1
+    day-in-year          : 1
+    day-in-month         : 1
+    day-of-week-in-month : 1
+    day-in-week          : 5
+    day-name             : Thursday
+    day-abbreviation     : Thu
+    time                 : 
+    hour-in-day          : NaN
+    minute-in-hour       : NaN
+    second-in-minute     : NaN
+  
+  Test Date : 2006-01-01
+    year                 : 2006
+    leap-year            : false
+    month-in-year        : 1
+    month-name           : January
+    month-abbreviation   : Jan
+    week-in-year         : 52
+    day-in-year          : 1
+    day-in-month         : 1
+    day-of-week-in-month : 1
+    day-in-week          : 1
+    day-name             : Sunday
+    day-abbreviation     : Sun
+    time                 : 
+    hour-in-day          : NaN
+    minute-in-hour       : NaN
+    second-in-minute     : NaN
+  
+  Test Date : 2007-12-31
+    year                 : 2007
+    leap-year            : false
+    month-in-year        : 12
+    month-name           : December
+    month-abbreviation   : Dec
+    week-in-year         : 1
+    day-in-year          : 365
+    day-in-month         : 31
+    day-of-week-in-month : 5
+    day-in-week          : 2
+    day-name             : Monday
+    day-abbreviation     : Mon
+    time                 : 
+    hour-in-day          : NaN
+    minute-in-hour       : NaN
+    second-in-minute     : NaN
 
diff --git a/ext/xsl/tests/xsltprocessor_registerPHPFunctions-funcnostring.phpt b/ext/xsl/tests/xsltprocessor_registerPHPFunctions-funcnostring.phpt
index d9a70517e..a0d6bf6b7 100644
--- a/ext/xsl/tests/xsltprocessor_registerPHPFunctions-funcnostring.phpt
+++ b/ext/xsl/tests/xsltprocessor_registerPHPFunctions-funcnostring.phpt
@@ -30,8 +30,8 @@ Warning: XSLTProcessor::transformToXml(): xmlXPathCompiledEval: evaluation faile
 
 Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element value-of in %s on line %d
 
-Warning: XSLTProcessor::transformToXml(): xsltValueOf: text copy failed in %s on line %d
-bool(false)
+Warning: XSLTProcessor::transformToXml(): XPath evaluation returned no result. in %s on line %d
+NULL
 --CREDITS--
 Christian Weiske, cweiske@php.net
 PHP Testfest Berlin 2009-05-09
diff --git a/ext/xsl/tests/xsltprocessor_registerPHPFunctions-funcundef.phpt b/ext/xsl/tests/xsltprocessor_registerPHPFunctions-funcundef.phpt
index a0ddf96a6..1aa7bb051 100644
--- a/ext/xsl/tests/xsltprocessor_registerPHPFunctions-funcundef.phpt
+++ b/ext/xsl/tests/xsltprocessor_registerPHPFunctions-funcundef.phpt
@@ -29,8 +29,8 @@ Warning: XSLTProcessor::transformToXml(): xmlXPathCompiledEval: evaluation faile
 
 Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element value-of in %s on line %d
 
-Warning: XSLTProcessor::transformToXml(): xsltValueOf: text copy failed in %s on line %d
-bool(false)
+Warning: XSLTProcessor::transformToXml(): XPath evaluation returned no result. in %s on line %d
+NULL
 --CREDITS--
 Christian Weiske, cweiske@php.net
 PHP Testfest Berlin 2009-05-09
diff --git a/ext/xsl/xsl_fe.h b/ext/xsl/xsl_fe.h
index a02292e55..f49bc43cb 100644
--- a/ext/xsl/xsl_fe.h
+++ b/ext/xsl/xsl_fe.h
@@ -2,7 +2,7 @@
   +----------------------------------------------------------------------+
   | PHP Version 5                                                        |
   +----------------------------------------------------------------------+
-  | Copyright (c) 1997-2011 The PHP Group                                |
+  | Copyright (c) 1997-2012 The PHP Group                                |
   +----------------------------------------------------------------------+
   | This source file is subject to version 3.01 of the PHP license,      |
   | that is bundled with this package in the file LICENSE, and is        |
@@ -16,7 +16,7 @@
   +----------------------------------------------------------------------+
 */
 
-/* $Id: xsl_fe.h 306939 2011-01-01 02:19:59Z felipe $ */
+/* $Id: xsl_fe.h 321634 2012-01-01 13:15:04Z felipe $ */
 
 #ifndef XSL_FE_H
 #define XSL_FE_H
diff --git a/ext/xsl/xsltprocessor.c b/ext/xsl/xsltprocessor.c
index ef3cc383f..af5cd8fe0 100644
--- a/ext/xsl/xsltprocessor.c
+++ b/ext/xsl/xsltprocessor.c
@@ -2,7 +2,7 @@
    +----------------------------------------------------------------------+
    | PHP Version 5                                                        |
    +----------------------------------------------------------------------+
-   | Copyright (c) 1997-2011 The PHP Group                                |
+   | Copyright (c) 1997-2012 The PHP Group                                |
    +----------------------------------------------------------------------+
    | This source file is subject to version 3.01 of the PHP license,      |
    | that is bundled with this package in the file LICENSE, and is        |
@@ -17,7 +17,7 @@
    +----------------------------------------------------------------------+
 */
 
-/* $Id: xsltprocessor.c 306939 2011-01-01 02:19:59Z felipe $ */
+/* $Id: xsltprocessor.c 321634 2012-01-01 13:15:04Z felipe $ */
 
 #ifdef HAVE_CONFIG_H
 #include "config.h"
@@ -475,6 +475,9 @@ static xmlDocPtr php_xsl_apply_stylesheet(zval *id, xsl_object *intern, xsltStyl
 	zval *doXInclude, *member;
 	zend_object_handlers *std_hnd;
 	FILE *f;
+	int secPrefsError = 0;
+	int secPrefsValue;
+	xsltSecurityPrefsPtr secPrefs = NULL;
 
 	node = php_libxml_import_node(docp TSRMLS_CC);
 	
@@ -531,11 +534,56 @@ static xmlDocPtr php_xsl_apply_stylesheet(zval *id, xsl_object *intern, xsltStyl
 	}
 	efree(member);
 
-	newdocp = xsltApplyStylesheetUser(style, doc, (const char**) params,  NULL, f, ctxt);
+	
+	secPrefsValue = INI_INT("xsl.security_prefs");
+	
+	/* if securityPrefs is set to NONE, we don't have to do any checks, but otherwise... */
+	if (secPrefsValue != XSL_SECPREF_NONE) {
+		secPrefs = xsltNewSecurityPrefs(); 
+		if (secPrefsValue & XSL_SECPREF_READ_FILE ) { 
+			if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid)) { 
+				secPrefsError = 1;
+			}
+		}
+		if (secPrefsValue & XSL_SECPREF_WRITE_FILE ) { 
+			if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid)) { 
+				secPrefsError = 1;
+			}
+		}
+		if (secPrefsValue & XSL_SECPREF_CREATE_DIRECTORY ) { 
+			if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid)) { 
+				secPrefsError = 1;
+			}
+		}
+		if (secPrefsValue & XSL_SECPREF_READ_NETWORK) { 
+			if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid)) { 
+				secPrefsError = 1;
+			}
+		}
+		if (secPrefsValue & XSL_SECPREF_WRITE_NETWORK) { 
+			if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid)) { 
+				secPrefsError = 1;
+			}
+		}
+	
+		if (0 != xsltSetCtxtSecurityPrefs(secPrefs, ctxt)) { 
+			secPrefsError = 1;
+		}
+	}
+	
+	if (secPrefsError == 1) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Can't set libxslt security properties, not doing transformation for security reasons");
+	} else {
+		newdocp = xsltApplyStylesheetUser(style, doc, (const char**) params,  NULL, f, ctxt);
+	}
 	if (f) {
 		fclose(f);
 	}
+	
 	xsltFreeTransformContext(ctxt);
+	if (secPrefs) {
+		xsltFreeSecurityPrefs(secPrefs);
+	}
 
 	if (intern->node_list != NULL) {
 		zend_hash_destroy(intern->node_list);