1--TEST-- 2Bug #61367: open_basedir bypass in libxml RSHUTDOWN: read test 3--SKIPIF-- 4<?php if(!extension_loaded('dom')) echo 'skip'; ?> 5--INI-- 6open_basedir=. 7error_reporting=E_ALL & ~E_NOTICE 8--FILE-- 9<?php 10/* 11 * Note: Using error_reporting=E_ALL & ~E_NOTICE to suppress "Trying to get property of non-object" notices. 12 */ 13class StreamExploiter { 14 public function stream_close ( ) { 15 $doc = new DOMDocument; 16 $doc->resolveExternals = true; 17 $doc->substituteEntities = true; 18 $dir = htmlspecialchars(dirname(getcwd())); 19 $dir = str_replace('\\', '/', $dir); // fix for windows 20 $doc->loadXML( <<<XML 21<!DOCTYPE doc [ 22 <!ENTITY file SYSTEM "file:///$dir/bad"> 23]> 24<doc>&file;</doc> 25XML 26 ); 27 print $doc->documentElement->firstChild->nodeValue; 28 } 29 30 public function stream_open ( $path , $mode , $options , &$opened_path ) { 31 return true; 32 } 33} 34 35var_dump(mkdir('test_bug_61367')); 36var_dump(mkdir('test_bug_61367/base')); 37var_dump(file_put_contents('test_bug_61367/bad', 'blah')); 38var_dump(chdir('test_bug_61367/base')); 39 40stream_wrapper_register( 'exploit', 'StreamExploiter' ); 41$s = fopen( 'exploit://', 'r' ); 42 43?> 44--CLEAN-- 45<?php 46unlink('test_bug_61367/bad'); 47rmdir('test_bug_61367/base'); 48rmdir('test_bug_61367'); 49?> 50--EXPECTF-- 51bool(true) 52bool(true) 53int(4) 54bool(true) 55 56Warning: DOMDocument::loadXML(): I/O warning : failed to load external entity "file:///%s/test_bug_61367/bad" in %s on line %d 57 58Warning: DOMDocument::loadXML(): Failure to process entity file in Entity, line: 4 in %s on line %d 59 60Warning: DOMDocument::loadXML(): Entity 'file' not defined in Entity, line: 4 in %s on line %d 61