1--TEST-- 2UAF when removing doctype and iterating over the child nodes 3--EXTENSIONS-- 4dom 5--CREDITS-- 6Yuancheng Jiang 7--FILE-- 8<?php 9$dom = new DOMDocument; 10$dom->loadXML(<<<XML 11<!DOCTYPE foo [ 12 <!ENTITY foo1 "bar1"> 13]> 14<foo>&foo1;</foo> 15XML); 16$ref = $dom->documentElement->firstChild; 17$nodes = $ref->childNodes; 18$dom->removeChild($dom->doctype); 19foreach($nodes as $str) {} 20var_dump($nodes); 21?> 22--EXPECTF-- 23object(DOMNodeList)#%d (1) { 24 ["length"]=> 25 int(0) 26} 27
