1--TEST-- 2Bug #61367: open_basedir bypass in libxml RSHUTDOWN: read test 3--EXTENSIONS-- 4dom 5--SKIPIF-- 6<?php 7if (LIBXML_VERSION < 20912) die('skip For libxml2 >= 2.9.12 only'); 8?> 9--INI-- 10open_basedir=. 11--FILE-- 12<?php 13/* 14 * Note: Using error_reporting=E_ALL & ~E_NOTICE to suppress "Trying to get property of non-object" notices. 15 */ 16class StreamExploiter { 17 public $context; 18 19 public function stream_close ( ) { 20 $doc = new DOMDocument; 21 $doc->resolveExternals = true; 22 $doc->substituteEntities = true; 23 $dir = htmlspecialchars(dirname(getcwd())); 24 $dir = str_replace('\\', '/', $dir); // fix for windows 25 $doc->loadXML( <<<XML 26<!DOCTYPE doc [ 27 <!ENTITY file SYSTEM "file:///$dir/bad"> 28]> 29<doc>&file;</doc> 30XML 31 ); 32 print $doc->documentElement->firstChild->nodeValue; 33 } 34 35 public function stream_open ( $path , $mode , $options , &$opened_path ) { 36 return true; 37 } 38} 39 40var_dump(mkdir('test_bug_61367-read')); 41var_dump(mkdir('test_bug_61367-read/base')); 42var_dump(file_put_contents('test_bug_61367-read/bad', 'blah')); 43var_dump(chdir('test_bug_61367-read/base')); 44 45stream_wrapper_register( 'exploit', 'StreamExploiter' ); 46$s = fopen( 'exploit://', 'r' ); 47 48?> 49--CLEAN-- 50<?php 51unlink('test_bug_61367-read/bad'); 52rmdir('test_bug_61367-read/base'); 53rmdir('test_bug_61367-read'); 54?> 55--EXPECTF-- 56bool(true) 57bool(true) 58int(4) 59bool(true) 60 61%s: DOMDocument::loadXML(): %Sfailed to load %s 62 63Warning: Attempt to read property "nodeValue" on null in %s on line %d 64
