1--TEST-- 2Bug #61367: open_basedir bypass in libxml RSHUTDOWN: read test 3--EXTENSIONS-- 4dom 5--SKIPIF-- 6<?php 7if (LIBXML_VERSION >= 20912) die('skip For libxml2 < 2.9.12 only'); 8?> 9--INI-- 10open_basedir=. 11--FILE-- 12<?php 13/* 14 * Note: Using error_reporting=E_ALL & ~E_NOTICE to suppress "Trying to get property of non-object" notices. 15 */ 16class StreamExploiter { 17 public function stream_close ( ) { 18 $doc = new DOMDocument; 19 $doc->resolveExternals = true; 20 $doc->substituteEntities = true; 21 $dir = htmlspecialchars(dirname(getcwd())); 22 $dir = str_replace('\\', '/', $dir); // fix for windows 23 $doc->loadXML( <<<XML 24<!DOCTYPE doc [ 25 <!ENTITY file SYSTEM "file:///$dir/bad"> 26]> 27<doc>&file;</doc> 28XML 29 ); 30 print $doc->documentElement->firstChild->nodeValue; 31 } 32 33 public function stream_open ( $path , $mode , $options , &$opened_path ) { 34 return true; 35 } 36} 37 38var_dump(mkdir('test_bug_61367-read')); 39var_dump(mkdir('test_bug_61367-read/base')); 40var_dump(file_put_contents('test_bug_61367-read/bad', 'blah')); 41var_dump(chdir('test_bug_61367-read/base')); 42 43stream_wrapper_register( 'exploit', 'StreamExploiter' ); 44$s = fopen( 'exploit://', 'r' ); 45 46?> 47--CLEAN-- 48<?php 49unlink('test_bug_61367-read/bad'); 50rmdir('test_bug_61367-read/base'); 51rmdir('test_bug_61367-read'); 52?> 53--EXPECTF-- 54bool(true) 55bool(true) 56int(4) 57bool(true) 58 59Warning: DOMDocument::loadXML(): I/O warning : failed to load external entity "file:///%s/test_bug_61367-read/bad" in %s on line %d 60 61Warning: DOMDocument::loadXML(): Failure to process entity file in Entity, line: 4 in %s on line %d 62 63Warning: DOMDocument::loadXML(): Entity 'file' not defined in Entity, line: 4 in %s on line %d 64 65Warning: Attempt to read property "firstChild" on null in %s on line %d 66 67Warning: Attempt to read property "nodeValue" on null in %s on line %d 68