2012-03-25 19:50:25 +00:00
|
|
|
--TEST--
|
|
|
|
Bug #61367: open_basedir bypass in libxml RSHUTDOWN: write test
|
|
|
|
--SKIPIF--
|
|
|
|
<?php if(!extension_loaded('dom')) echo 'skip'; ?>
|
|
|
|
--INI--
|
|
|
|
open_basedir=.
|
|
|
|
--FILE--
|
|
|
|
<?php
|
|
|
|
|
|
|
|
class StreamExploiter {
|
|
|
|
public function stream_close ( ) {
|
|
|
|
$doc = new DOMDocument;
|
|
|
|
$doc->appendChild($doc->createTextNode('hello'));
|
|
|
|
var_dump($doc->save(dirname(getcwd()) . '/bad'));
|
|
|
|
}
|
|
|
|
|
|
|
|
public function stream_open ( $path , $mode , $options , &$opened_path ) {
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2013-09-18 08:53:11 +00:00
|
|
|
var_dump(mkdir('test_bug_61367-write'));
|
|
|
|
var_dump(mkdir('test_bug_61367-write/base'));
|
|
|
|
var_dump(file_put_contents('test_bug_61367-write/bad', 'blah'));
|
|
|
|
var_dump(chdir('test_bug_61367-write/base'));
|
2012-03-25 19:50:25 +00:00
|
|
|
|
|
|
|
stream_wrapper_register( 'exploit', 'StreamExploiter' );
|
|
|
|
$s = fopen( 'exploit://', 'r' );
|
|
|
|
|
|
|
|
?>
|
|
|
|
--CLEAN--
|
|
|
|
<?php
|
2013-09-18 08:53:11 +00:00
|
|
|
@unlink('test_bug_61367-write/bad');
|
|
|
|
rmdir('test_bug_61367-write/base');
|
|
|
|
rmdir('test_bug_61367-write');
|
2012-03-25 19:50:25 +00:00
|
|
|
?>
|
|
|
|
--EXPECTF--
|
|
|
|
bool(true)
|
|
|
|
bool(true)
|
|
|
|
int(4)
|
|
|
|
bool(true)
|
|
|
|
|
|
|
|
Warning: DOMDocument::save(): open_basedir restriction in effect. File(%s) is not within the allowed path(s): (.) in %s on line %d
|
|
|
|
|
|
|
|
Warning: DOMDocument::save(%s): failed to open stream: Operation not permitted in %s on line %d
|
|
|
|
bool(false)
|