1--TEST-- 2Bug #61367: open_basedir bypass in libxml RSHUTDOWN: read test 3--EXTENSIONS-- 4dom 5--SKIPIF-- 6<?php 7if (LIBXML_VERSION >= 20912) die('skip For libxml2 < 2.9.12 only'); 8?> 9--INI-- 10open_basedir=. 11--FILE-- 12<?php 13/* 14 * Note: Using error_reporting=E_ALL & ~E_NOTICE to suppress "Trying to get property of non-object" notices. 15 */ 16class StreamExploiter { 17 public $context; 18 public function stream_close ( ) { 19 $doc = new DOMDocument; 20 $doc->resolveExternals = true; 21 $doc->substituteEntities = true; 22 $dir = htmlspecialchars(dirname(getcwd())); 23 $dir = str_replace('\\', '/', $dir); // fix for windows 24 $doc->loadXML( <<<XML 25<!DOCTYPE doc [ 26 <!ENTITY file SYSTEM "file:///$dir/bad"> 27]> 28<doc>&file;</doc> 29XML 30 ); 31 print $doc->documentElement->firstChild->nodeValue; 32 } 33 34 public function stream_open ( $path , $mode , $options , &$opened_path ) { 35 return true; 36 } 37} 38 39var_dump(mkdir('test_bug_61367-read')); 40var_dump(mkdir('test_bug_61367-read/base')); 41var_dump(file_put_contents('test_bug_61367-read/bad', 'blah')); 42var_dump(chdir('test_bug_61367-read/base')); 43 44stream_wrapper_register( 'exploit', 'StreamExploiter' ); 45$s = fopen( 'exploit://', 'r' ); 46 47?> 48--CLEAN-- 49<?php 50unlink('test_bug_61367-read/bad'); 51rmdir('test_bug_61367-read/base'); 52rmdir('test_bug_61367-read'); 53?> 54--EXPECTF-- 55bool(true) 56bool(true) 57int(4) 58bool(true) 59 60Warning: DOMDocument::loadXML(): I/O warning : failed to load external entity "file:///%s/test_bug_61367-read/bad" in %s on line %d 61 62Warning: DOMDocument::loadXML(): Failure to process entity file in Entity, line: 4 in %s on line %d 63 64Warning: DOMDocument::loadXML(): Entity 'file' not defined in Entity, line: 4 in %s on line %d 65 66Warning: Attempt to read property "firstChild" on null in %s on line %d 67 68Warning: Attempt to read property "nodeValue" on null in %s on line %d 69
