Эхлэл Бүгдийг харах Тусламж
Нэвтрэх
8516
/
Test
1
0
Салаа 0
Файлууд Асуудлууд 0 Хуулах хүсэлтүүд 0 Мэдлэгийн сан
Салаа: master
Салаанууд Тагууд
Test
/
EVSE
/
GPL
/
php-5.6.40
/
ext
/
libxml
/
tests
/
bug61367-read.phpt

bug61367-read.phpt 1.6 KB
Байнгын холболт Түүх Анхны өгөгдөл

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960 
  1. --TEST--
    2. 

  2. Bug #61367: open_basedir bypass in libxml RSHUTDOWN: read test
    3. 

  3. --SKIPIF--
    4. 

  4. <?php if(!extension_loaded('dom')) echo 'skip'; ?>
    5. 

  5. --INI--
    6. 

  6. open_basedir=.
    7. 

  7. error_reporting=E_ALL & ~E_NOTICE
    8. 

  8. --FILE--
    9. 

  9. <?php
    10. 

  10. /*
    11. 

  11.  * Note: Using error_reporting=E_ALL & ~E_NOTICE to suppress "Trying to get property of non-object" notices.
    12. 

  12.  */
    13. 

  13. class StreamExploiter {
    14. 

  14. 	public function stream_close (  ) {
    15. 

  15. 		$doc = new DOMDocument;
    16. 

  16. 		$doc->resolveExternals = true;
    17. 

  17. 		$doc->substituteEntities = true;
    18. 

  18. 		$dir = htmlspecialchars(dirname(getcwd()));
    19. 

  19. 		$dir = str_replace('\\', '/', $dir); // fix for windows
    20. 

  20. 		$doc->loadXML( <<<XML
    21. 

  21. <!DOCTYPE doc [
    22. 

  22. 	<!ENTITY file SYSTEM "file:///$dir/bad">
    23. 

  23. ]>
    24. 

  24. <doc>&file;</doc>
    25. 

  25. XML
    26. 

  26. 		);
    27. 

  27. 		print $doc->documentElement->firstChild->nodeValue;
    28. 

  28. 	}
    29. 

  29. 

  30. 	public function stream_open (  $path ,  $mode ,  $options ,  &$opened_path ) {
    31. 

  31. 		return true;
    32. 

  32. 	}
    33. 

  33. }
    34. 

  34. 

  35. var_dump(mkdir('test_bug_61367-read'));
    36. 

  36. var_dump(mkdir('test_bug_61367-read/base'));
    37. 

  37. var_dump(file_put_contents('test_bug_61367-read/bad', 'blah'));
    38. 

  38. var_dump(chdir('test_bug_61367-read/base'));
    39. 

  39. 

  40. stream_wrapper_register( 'exploit', 'StreamExploiter' );
    41. 

  41. $s = fopen( 'exploit://', 'r' );
    42. 

  42. 

  43. ?>
    44. 

  44. --CLEAN--
    45. 

  45. <?php
    46. 

  46. unlink('test_bug_61367-read/bad');
    47. 

  47. rmdir('test_bug_61367-read/base');
    48. 

  48. rmdir('test_bug_61367-read');
    49. 

  49. ?>
    50. 

  50. --EXPECTF--
    51. 

  51. bool(true)
    52. 

  52. bool(true)
    53. 

  53. int(4)
    54. 

  54. bool(true)
    55. 

  55. 

  56. Warning: DOMDocument::loadXML(): I/O warning : failed to load external entity "file:///%s/test_bug_61367-read/bad" in %s on line %d
    57. 

  57. 

  58. Warning: DOMDocument::loadXML(): Failure to process entity file in Entity, line: 4 in %s on line %d
    59. 

  59. 

  60. Warning: DOMDocument::loadXML(): Entity 'file' not defined in Entity, line: 4 in %s on line %d
    61.