xref: /PHP-8.1/ext/libxml/tests/bug61367-read.phpt (revision 74859783)
1--TEST--
2Bug #61367: open_basedir bypass in libxml RSHUTDOWN: read test
3--EXTENSIONS--
4dom
5--SKIPIF--
6<?php
7if (LIBXML_VERSION >= 20912) die('skip For libxml2 < 2.9.12 only');
8?>
9--INI--
10open_basedir=.
11--FILE--
12<?php
13/*
14 * Note: Using error_reporting=E_ALL & ~E_NOTICE to suppress "Trying to get property of non-object" notices.
15 */
16class StreamExploiter {
17    public function stream_close (  ) {
18        $doc = new DOMDocument;
19        $doc->resolveExternals = true;
20        $doc->substituteEntities = true;
21        $dir = htmlspecialchars(dirname(getcwd()));
22        $dir = str_replace('\\', '/', $dir); // fix for windows
23        $doc->loadXML( <<<XML
24<!DOCTYPE doc [
25    <!ENTITY file SYSTEM "file:///$dir/bad">
26]>
27<doc>&file;</doc>
28XML
29        );
30        print $doc->documentElement->firstChild->nodeValue;
31    }
32
33    public function stream_open (  $path ,  $mode ,  $options ,  &$opened_path ) {
34        return true;
35    }
36}
37
38var_dump(mkdir('test_bug_61367-read'));
39var_dump(mkdir('test_bug_61367-read/base'));
40var_dump(file_put_contents('test_bug_61367-read/bad', 'blah'));
41var_dump(chdir('test_bug_61367-read/base'));
42
43stream_wrapper_register( 'exploit', 'StreamExploiter' );
44$s = fopen( 'exploit://', 'r' );
45
46?>
47--CLEAN--
48<?php
49unlink('test_bug_61367-read/bad');
50rmdir('test_bug_61367-read/base');
51rmdir('test_bug_61367-read');
52?>
53--EXPECTF--
54bool(true)
55bool(true)
56int(4)
57bool(true)
58
59Warning: DOMDocument::loadXML(): I/O warning : failed to load external entity "file:///%s/test_bug_61367-read/bad" in %s on line %d
60
61Warning: DOMDocument::loadXML(): Failure to process entity file in Entity, line: 4 in %s on line %d
62
63Warning: DOMDocument::loadXML(): Entity 'file' not defined in Entity, line: 4 in %s on line %d
64
65Warning: Attempt to read property "firstChild" on null in %s on line %d
66
67Warning: Attempt to read property "nodeValue" on null in %s on line %d
68