Find this useful? Enter your email to receive occasional updates for securing PHP code.

Signing you up...

Thank you for signing up!

PHP Decode

--TEST-- Bug #54446 (Arbitrary file creation via libxslt 'output' extension) --EXTENSIONS-..

Decoded Output download

--TEST--
Bug #54446 (Arbitrary file creation via libxslt 'output' extension)
--EXTENSIONS--
xsl
--FILE--
<?php
include("prepare.inc");

$outputfile = __DIR__."/bug54446test.txt";
if (file_exists($outputfile)) {
    unlink($outputfile);
}

$sXsl = <<<EOT
<xsl:stylesheet version="1.0"
    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
    xmlns:sax="http://icl.com/saxon"
    extension-element-prefixes="sax">

    <xsl:template match="/">
        <sax:output href="$outputfile" method="text">
            <xsl:value-of select="'0wn3d via PHP and libxslt ...'"/>
        </sax:output>
    </xsl:template>

</xsl:stylesheet>
EOT;

$xsl->loadXML( $sXsl );

# START XSLT
$proc->importStylesheet( $xsl );

# TRASNFORM & PRINT
print $proc->transformToXML( $dom );


if (file_exists($outputfile)) {
    print "$outputfile exists, but shouldn't!
";
} else {
    print "OK, no file created
";
}

#SET NO SECURITY PREFS
$proc->setSecurityPrefs(XSL_SECPREF_NONE);

# TRASNFORM & PRINT
print $proc->transformToXML( $dom );


if (file_exists($outputfile)) {
    print "OK, file exists
";
} else {
    print "$outputfile doesn't exist, but should!
";
}

unlink($outputfile);

#SET SECURITY PREFS AGAIN
$proc->setSecurityPrefs( XSL_SECPREF_WRITE_FILE |  XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY);

# TRASNFORM & PRINT
print $proc->transformToXML( $dom );

if (file_exists($outputfile)) {
    print "$outputfile exists, but shouldn't!
";
} else {
    print "OK, no file created
";
}
?>
--EXPECTF--
Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d

Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %d

Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d

Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
OK, no file created
OK, file exists

Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d

Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %d

Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d

Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
OK, no file created
--CREDITS--
Christian Stocker, [email protected]

Did this file decode correctly?

Original Code

--TEST--
Bug #54446 (Arbitrary file creation via libxslt 'output' extension)
--EXTENSIONS--
xsl
--FILE--
<?php
include("prepare.inc");

$outputfile = __DIR__."/bug54446test.txt";
if (file_exists($outputfile)) {
    unlink($outputfile);
}

$sXsl = <<<EOT
<xsl:stylesheet version="1.0"
    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
    xmlns:sax="http://icl.com/saxon"
    extension-element-prefixes="sax">

    <xsl:template match="/">
        <sax:output href="$outputfile" method="text">
            <xsl:value-of select="'0wn3d via PHP and libxslt ...'"/>
        </sax:output>
    </xsl:template>

</xsl:stylesheet>
EOT;

$xsl->loadXML( $sXsl );

# START XSLT
$proc->importStylesheet( $xsl );

# TRASNFORM & PRINT
print $proc->transformToXML( $dom );


if (file_exists($outputfile)) {
    print "$outputfile exists, but shouldn't!\n";
} else {
    print "OK, no file created\n";
}

#SET NO SECURITY PREFS
$proc->setSecurityPrefs(XSL_SECPREF_NONE);

# TRASNFORM & PRINT
print $proc->transformToXML( $dom );


if (file_exists($outputfile)) {
    print "OK, file exists\n";
} else {
    print "$outputfile doesn't exist, but should!\n";
}

unlink($outputfile);

#SET SECURITY PREFS AGAIN
$proc->setSecurityPrefs( XSL_SECPREF_WRITE_FILE |  XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY);

# TRASNFORM & PRINT
print $proc->transformToXML( $dom );

if (file_exists($outputfile)) {
    print "$outputfile exists, but shouldn't!\n";
} else {
    print "OK, no file created\n";
}
?>
--EXPECTF--
Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d

Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %d

Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d

Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
OK, no file created
OK, file exists

Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d

Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %d

Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d

Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
OK, no file created
--CREDITS--
Christian Stocker, [email protected]

Function Calls

None

Variables

None

Stats

MD5 003fc5933a24e1b609bc6c2d271bedb4
Eval Count 0
Decode Time 100 ms