Find this useful? Enter your email to receive occasional updates for securing PHP code.
Signing you up...
Thank you for signing up!
PHP Decode
--TEST-- Bug #54446 (Arbitrary file creation via libxslt 'output' extension) --EXTENSIONS-..
Decoded Output download
--TEST--
Bug #54446 (Arbitrary file creation via libxslt 'output' extension)
--EXTENSIONS--
xsl
--FILE--
<?php
include("prepare.inc");
$outputfile = __DIR__."/bug54446test.txt";
if (file_exists($outputfile)) {
unlink($outputfile);
}
$sXsl = <<<EOT
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:sax="http://icl.com/saxon"
extension-element-prefixes="sax">
<xsl:template match="/">
<sax:output href="$outputfile" method="text">
<xsl:value-of select="'0wn3d via PHP and libxslt ...'"/>
</sax:output>
</xsl:template>
</xsl:stylesheet>
EOT;
$xsl->loadXML( $sXsl );
# START XSLT
$proc->importStylesheet( $xsl );
# TRASNFORM & PRINT
print $proc->transformToXML( $dom );
if (file_exists($outputfile)) {
print "$outputfile exists, but shouldn't!
";
} else {
print "OK, no file created
";
}
#SET NO SECURITY PREFS
$proc->setSecurityPrefs(XSL_SECPREF_NONE);
# TRASNFORM & PRINT
print $proc->transformToXML( $dom );
if (file_exists($outputfile)) {
print "OK, file exists
";
} else {
print "$outputfile doesn't exist, but should!
";
}
unlink($outputfile);
#SET SECURITY PREFS AGAIN
$proc->setSecurityPrefs( XSL_SECPREF_WRITE_FILE | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY);
# TRASNFORM & PRINT
print $proc->transformToXML( $dom );
if (file_exists($outputfile)) {
print "$outputfile exists, but shouldn't!
";
} else {
print "OK, no file created
";
}
?>
--EXPECTF--
Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %d
Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
OK, no file created
OK, file exists
Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %d
Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
OK, no file created
--CREDITS--
Christian Stocker, [email protected]
Did this file decode correctly?
Original Code
--TEST--
Bug #54446 (Arbitrary file creation via libxslt 'output' extension)
--EXTENSIONS--
xsl
--FILE--
<?php
include("prepare.inc");
$outputfile = __DIR__."/bug54446test.txt";
if (file_exists($outputfile)) {
unlink($outputfile);
}
$sXsl = <<<EOT
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:sax="http://icl.com/saxon"
extension-element-prefixes="sax">
<xsl:template match="/">
<sax:output href="$outputfile" method="text">
<xsl:value-of select="'0wn3d via PHP and libxslt ...'"/>
</sax:output>
</xsl:template>
</xsl:stylesheet>
EOT;
$xsl->loadXML( $sXsl );
# START XSLT
$proc->importStylesheet( $xsl );
# TRASNFORM & PRINT
print $proc->transformToXML( $dom );
if (file_exists($outputfile)) {
print "$outputfile exists, but shouldn't!\n";
} else {
print "OK, no file created\n";
}
#SET NO SECURITY PREFS
$proc->setSecurityPrefs(XSL_SECPREF_NONE);
# TRASNFORM & PRINT
print $proc->transformToXML( $dom );
if (file_exists($outputfile)) {
print "OK, file exists\n";
} else {
print "$outputfile doesn't exist, but should!\n";
}
unlink($outputfile);
#SET SECURITY PREFS AGAIN
$proc->setSecurityPrefs( XSL_SECPREF_WRITE_FILE | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY);
# TRASNFORM & PRINT
print $proc->transformToXML( $dom );
if (file_exists($outputfile)) {
print "$outputfile exists, but shouldn't!\n";
} else {
print "OK, no file created\n";
}
?>
--EXPECTF--
Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %d
Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
OK, no file created
OK, file exists
Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d
Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %d
Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d
Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
OK, no file created
--CREDITS--
Christian Stocker, [email protected]
Function Calls
None |
Stats
MD5 | 003fc5933a24e1b609bc6c2d271bedb4 |
Eval Count | 0 |
Decode Time | 100 ms |