1--TEST-- 2Bug #61367: open_basedir bypass in libxml RSHUTDOWN: write test 3--SKIPIF-- 4<?php if(!extension_loaded('dom')) echo 'skip'; ?> 5--INI-- 6open_basedir=. 7--FILE-- 8<?php 9 10class StreamExploiter { 11 public function stream_close ( ) { 12 $doc = new DOMDocument; 13 $doc->appendChild($doc->createTextNode('hello')); 14 var_dump($doc->save(dirname(getcwd()) . '/bad')); 15 } 16 17 public function stream_open ( $path , $mode , $options , &$opened_path ) { 18 return true; 19 } 20} 21 22var_dump(mkdir('test_bug_61367-write')); 23var_dump(mkdir('test_bug_61367-write/base')); 24var_dump(file_put_contents('test_bug_61367-write/bad', 'blah')); 25var_dump(chdir('test_bug_61367-write/base')); 26 27stream_wrapper_register( 'exploit', 'StreamExploiter' ); 28$s = fopen( 'exploit://', 'r' ); 29 30?> 31--CLEAN-- 32<?php 33@unlink('test_bug_61367-write/bad'); 34rmdir('test_bug_61367-write/base'); 35rmdir('test_bug_61367-write'); 36?> 37--EXPECTF-- 38bool(true) 39bool(true) 40int(4) 41bool(true) 42 43Warning: DOMDocument::save(): open_basedir restriction in effect. File(%s) is not within the allowed path(s): (.) in %s on line %d 44 45Warning: DOMDocument::save(%s): failed to open stream: Operation not permitted in %s on line %d 46bool(false) 47
