Inicio Explorar Ayuda
Iniciar sesión
SoftwareDesign
/
csu3_am335x
8
0
Fork 0
Archivos Incidencias 0 Pull Requests 0 Wiki
Rama: master
Ramas Etiquetas
csu3_am335x
/
EVSE
/
GPL
/
php-8.1.12
/
ext
/
libxml
/
tests
/
bug61367-read.phpt

bug61367-read.phpt 1.8 KB
Permalink Histórico Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667 
  1. --TEST--
    2. 

  2. Bug #61367: open_basedir bypass in libxml RSHUTDOWN: read test
    3. 

  3. --EXTENSIONS--
    4. 

  4. dom
    5. 

  5. --SKIPIF--
    6. 

  6. <?php
    7. 

  7. if (LIBXML_VERSION >= 20912) die('skip For libxml2 < 2.9.12 only');
    8. 

  8. ?>
    9. 

  9. --INI--
    10. 

  10. open_basedir=.
    11. 

  11. --FILE--
    12. 

  12. <?php
    13. 

  13. /*
    14. 

  14.  * Note: Using error_reporting=E_ALL & ~E_NOTICE to suppress "Trying to get property of non-object" notices.
    15. 

  15.  */
    16. 

  16. class StreamExploiter {
    17. 

  17.     public function stream_close (  ) {
    18. 

  18.         $doc = new DOMDocument;
    19. 

  19.         $doc->resolveExternals = true;
    20. 

  20.         $doc->substituteEntities = true;
    21. 

  21.         $dir = htmlspecialchars(dirname(getcwd()));
    22. 

  22.         $dir = str_replace('\\', '/', $dir); // fix for windows
    23. 

  23.         $doc->loadXML( <<<XML
    24. 

  24. <!DOCTYPE doc [
    25. 

  25.     <!ENTITY file SYSTEM "file:///$dir/bad">
    26. 

  26. ]>
    27. 

  27. <doc>&file;</doc>
    28. 

  28. XML
    29. 

  29.         );
    30. 

  30.         print $doc->documentElement->firstChild->nodeValue;
    31. 

  31.     }
    32. 

  32. 

  33.     public function stream_open (  $path ,  $mode ,  $options ,  &$opened_path ) {
    34. 

  34.         return true;
    35. 

  35.     }
    36. 

  36. }
    37. 

  37. 

  38. var_dump(mkdir('test_bug_61367-read'));
    39. 

  39. var_dump(mkdir('test_bug_61367-read/base'));
    40. 

  40. var_dump(file_put_contents('test_bug_61367-read/bad', 'blah'));
    41. 

  41. var_dump(chdir('test_bug_61367-read/base'));
    42. 

  42. 

  43. stream_wrapper_register( 'exploit', 'StreamExploiter' );
    44. 

  44. $s = fopen( 'exploit://', 'r' );
    45. 

  45. 

  46. ?>
    47. 

  47. --CLEAN--
    48. 

  48. <?php
    49. 

  49. unlink('test_bug_61367-read/bad');
    50. 

  50. rmdir('test_bug_61367-read/base');
    51. 

  51. rmdir('test_bug_61367-read');
    52. 

  52. ?>
    53. 

  53. --EXPECTF--
    54. 

  54. bool(true)
    55. 

  55. bool(true)
    56. 

  56. int(4)
    57. 

  57. bool(true)
    58. 

  58. 

  59. Warning: DOMDocument::loadXML(): I/O warning : failed to load external entity "file:///%s/test_bug_61367-read/bad" in %s on line %d
    60. 

  60. 

  61. Warning: DOMDocument::loadXML(): Failure to process entity file in Entity, line: 4 in %s on line %d
    62. 

  62. 

  63. Warning: DOMDocument::loadXML(): Entity 'file' not defined in Entity, line: 4 in %s on line %d
    64. 

  64. 

  65. Warning: Attempt to read property "firstChild" on null in %s on line %d
    66. 

  66. 

  67. Warning: Attempt to read property "nodeValue" on null in %s on line %d
    68.