xref: /PHP-5.4/ext/libxml/tests/bug61367-read.phpt (revision ac40c0b5)
1--TEST--
2Bug #61367: open_basedir bypass in libxml RSHUTDOWN: read test
3--SKIPIF--
4<?php if(!extension_loaded('dom')) echo 'skip'; ?>
5--INI--
6open_basedir=.
7error_reporting=E_ALL & ~E_NOTICE
8--FILE--
9<?php
10/*
11 * Note: Using error_reporting=E_ALL & ~E_NOTICE to suppress "Trying to get property of non-object" notices.
12 */
13class StreamExploiter {
14	public function stream_close (  ) {
15		$doc = new DOMDocument;
16		$doc->resolveExternals = true;
17		$doc->substituteEntities = true;
18		$dir = htmlspecialchars(dirname(getcwd()));
19		$dir = str_replace('\\', '/', $dir); // fix for windows
20		$doc->loadXML( <<<XML
21<!DOCTYPE doc [
22	<!ENTITY file SYSTEM "file:///$dir/bad">
23]>
24<doc>&file;</doc>
25XML
26		);
27		print $doc->documentElement->firstChild->nodeValue;
28	}
29
30	public function stream_open (  $path ,  $mode ,  $options ,  &$opened_path ) {
31		return true;
32	}
33}
34
35var_dump(mkdir('test_bug_61367'));
36var_dump(mkdir('test_bug_61367/base'));
37var_dump(file_put_contents('test_bug_61367/bad', 'blah'));
38var_dump(chdir('test_bug_61367/base'));
39
40stream_wrapper_register( 'exploit', 'StreamExploiter' );
41$s = fopen( 'exploit://', 'r' );
42
43?>
44--CLEAN--
45<?php
46unlink('test_bug_61367/bad');
47rmdir('test_bug_61367/base');
48rmdir('test_bug_61367');
49?>
50--EXPECTF--
51bool(true)
52bool(true)
53int(4)
54bool(true)
55
56Warning: DOMDocument::loadXML(): I/O warning : failed to load external entity "file:///%s/test_bug_61367/bad" in %s on line %d
57
58Warning: DOMDocument::loadXML(): Failure to process entity file in Entity, line: 4 in %s on line %d
59
60Warning: DOMDocument::loadXML(): Entity 'file' not defined in Entity, line: 4 in %s on line %d
61