Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:122659 X-Original-To: internals@lists.php.net Delivered-To: internals@lists.php.net Received: from php-smtp4.php.net (php-smtp4.php.net [45.112.84.5]) by qa.php.net (Postfix) with ESMTPS id 2BE4F1AD8F6 for ; Sat, 16 Mar 2024 16:48:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=php.net; s=mail; t=1710607753; bh=ckGGAiyeRRO9gl84iQ8X9ZFFXu3KtNy+fm8CqxFvFnQ=; h=Date:From:To:Subject:From; b=GoMOhDh9n8dsZHnxYOloJngOqGyICVD66c6203i+He94P1PRcFZjXh+VLWytdBHln qzd3EtlSa6elryoKCSSVi0o7YV+BLqvy9kJ2TeTIfT0SzONyRd0lJe0wFVZO3tbys+ 4uHehHR+255Xo9jEXS7sGKOhFGLBJqRAefoSf6qJ0ScISAg7HCGx3eKZOvqdhhQYz7 6vkanaskM7OJs/ATCw1jaRuew0SS73bVdjMqba4SKX7gVD5oU9sDvwXNT3vB17XkLO vBOOo2CGAsbugdRUVedPOVldPvR7rjUcPZ8Jkr8NeZK7qklGozEGLIsMpwawigxOFW kuEsWqOnA6UBg== Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 5E5991805B1 for ; Sat, 16 Mar 2024 16:49:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=0.6 required=5.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,DMARC_PASS,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=4.0.0 X-Spam-Virus: No X-Envelope-From: Received: from mail-lf1-f49.google.com (mail-lf1-f49.google.com [209.85.167.49]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Sat, 16 Mar 2024 16:49:11 +0000 (UTC) Received: by mail-lf1-f49.google.com with SMTP id 2adb3069b0e04-513dc9d6938so1728454e87.2 for ; Sat, 16 Mar 2024 09:48:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710607731; x=1711212531; darn=lists.php.net; h=content-transfer-encoding:subject:to:from:content-language :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=ckGGAiyeRRO9gl84iQ8X9ZFFXu3KtNy+fm8CqxFvFnQ=; b=JXS72g0BgY71T9gMP9LKGSIHqpCCQK07DXunCW8iJoyOslomjVma2qJsqlOXRiqUVa XcJ/Agfc/wFwxql3lKNhIZJK4SXYgHl4aypGK4YFUbv3qvIYRtwCXQp6PF1DSArq5Fll PExdd670sg7Iac7fu2dMX2RIdbHEk7ySFwlJkbHRxl8yPRkK4qT0J+n97KnWR9GzFrge 2qKh2drwcpMF2iZlIYzG8NmButYSOqv2+RAgjdmKWyDIyKsWh/IRJpYNIQ818IKexHsm m84Ghj/adpaVWEb7gyudSPCBq7SiehFOhofX+rYmBmvShoXUFKe8mA7Kv3XHRyrzQz+Y jW4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710607731; x=1711212531; h=content-transfer-encoding:subject:to:from:content-language :user-agent:mime-version:date:message-id:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=ckGGAiyeRRO9gl84iQ8X9ZFFXu3KtNy+fm8CqxFvFnQ=; b=F/Yh9Nm8RvkA5gvjCAG3DOqKsgX0qV458iHtL39sYTxjF2lhrbylZuAYYgsovhJEMS Wv9EAMxH3OII/Qiz2IRt0sxFTP0FUPqvFFYp2o7rLeDWdIEydSAm/Y/XZMQFjXe7QFBY zwk7/8xsX93EYv3Xrdjuo7jqlHk/Fr/FWcjnMfJH5nEwPKpjd6YjDHrpczjyn5M5fsb+ 5tCjuREfwhF8aSrrGZIyQ4JWDkiq3yyTs69BLfFyC84FhxJRh9VMEHJQltquCgLXc9s2 kXjCQTAHE64Zb2ZnU3RkQ7To0Hqa/8ISF+gO9GgpiRtJGLLZxi50YnkysTPOdSk56TXB tqTQ== X-Gm-Message-State: AOJu0YyazBY9vdjoCMR6FrRtFAUVPnXHdWsJC2rKajUoi5Bx0diw3WQR QQbcgjNjSagz0qKQNrIujDaLojc1CEpQMyoPMiLjQpujd65pqYjXVFetTEqw X-Google-Smtp-Source: AGHT+IH/TSGLyEBaLd2NEAjk/blCUwysWp9nwemkMMe4/Ak31cqQrYAiwtIKJpSOpiVybHUtgjVVww== X-Received: by 2002:a05:6512:3ec:b0:513:3fbe:b0c8 with SMTP id n12-20020a05651203ec00b005133fbeb0c8mr4666655lfq.31.1710607731276; Sat, 16 Mar 2024 09:48:51 -0700 (PDT) Received: from [192.168.0.59] (178-117-137-225.access.telenet.be. [178.117.137.225]) by smtp.gmail.com with ESMTPSA id m15-20020a05600c4f4f00b004130c1dc29csm9367256wmq.22.2024.03.16.09.48.50 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 16 Mar 2024 09:48:51 -0700 (PDT) Message-ID: Date: Sat, 16 Mar 2024 17:48:50 +0100 Precedence: bulk list-help: list-post: List-Id: internals.lists.php.net MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: PHP Internals Subject: [PHP-DEV] XSLTProcessor recursion limit Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit From: dossche.niels@gmail.com (Niels Dossche) Hi internals Based on https://bugs.php.net/bug.php?id=71571 I've opened a PR to implement two new properties for XSLTProcessor: maxTemplateDepth and maxTemplateVars. The reasoning behind this is that large templates with lots of recursion and/or variables can bump against the default recursion limit set by the libxslt library. PR link: https://github.com/php/php-src/pull/13731 I used an adapted version of https://github.com/nikic/popular-package-analysis to download every package that satisfies the search term "xsl". Then I checked if there are any classes that extend XSLTProcessor and have the maxTemplateDepth or maxTemplateVars field. None do, and as such no package in packagist will observe a BC break because of this PR. One sad detail however, is that you can set the recursion limit so high that you can exhaust the stack space, which will crash the process with a segfault. In fact, you can hit this already right now without the PR, using XSL. I.e. you can create a very deep VM re-entry that won't cause the stack limit protection to kick in, and then start a recursive XSL template processing that does not hit XSL's limit, but exhausts the remaining stack space. Note that as soon as you do callbacks however, the stack limit protection _will_ kick in. I tried to check if it's possible to prevent this, but the stack limit check would need to happen inside the libxslt library, so I don't think it's possible. Let me know if there are any complaints about this. If no complaints, I'll merge this in 2 weeks or so. Kind regards Niels