File: bug54446_with_ini.phpt

package info (click to toggle)
php5 5.6.7%2Bdfsg-1
  • links: PTS, VCS
  • area: main
  • in suites: jessie-kfreebsd
  • size: 150,376 kB
  • sloc: ansic: 727,510; php: 21,966; sh: 12,356; cpp: 8,763; xml: 6,105; yacc: 1,551; exp: 1,514; makefile: 1,461; pascal: 1,048; awk: 538; perl: 315; sql: 22
file content (135 lines) | stat: -rw-r--r-- 4,240 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
 
--TEST--
Bug #54446 (Arbitrary file creation via libxslt 'output' extension with php.ini setting)
--SKIPIF--
<?php
if (!extension_loaded('xsl')) die("skip Extension XSL is required\n");
?>
--FILE--
<?php
include("prepare.inc"); 

$outputfile = dirname(__FILE__)."/bug54446test.txt";
if (file_exists($outputfile)) {
    unlink($outputfile);
}

$sXsl = <<<EOT
<xsl:stylesheet version="1.0"
	xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
	xmlns:sax="http://icl.com/saxon"
	extension-element-prefixes="sax">

	<xsl:template match="/">
		<sax:output href="$outputfile" method="text">
			<xsl:value-of select="'0wn3d via PHP and libxslt ...'"/>
		</sax:output>
	</xsl:template>

</xsl:stylesheet>
EOT;

$xsl->loadXML( $sXsl );

# START XSLT 
$proc->importStylesheet( $xsl ); 

# TRASNFORM & PRINT 
print $proc->transformToXML( $dom ); 


if (file_exists($outputfile)) {
    print "$outputfile exists, but shouldn't!\n";
} else {
    print "OK, no file created\n";
}

#SET NO SECURITY PREFS
ini_set("xsl.security_prefs", XSL_SECPREF_NONE);

# TRASNFORM & PRINT 
print $proc->transformToXML( $dom ); 


if (file_exists($outputfile)) {
    print "OK, file exists\n";
} else {
    print "$outputfile doesn't exist, but should!\n";
}

unlink($outputfile);

#SET SECURITY PREFS AGAIN
ini_set("xsl.security_prefs", XSL_SECPREF_WRITE_FILE |  XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY);

# TRASNFORM & PRINT 
print $proc->transformToXML( $dom ); 

if (file_exists($outputfile)) {
    print "$outputfile exists, but shouldn't!\n";
} else {
    print "OK, no file created\n";
}

#SET NO SECURITY PREFS with ini, but set them with ->setSecurityPrefs
ini_set("xsl.security_prefs", XSL_SECPREF_NONE);
$proc->setSecurityPrefs( XSL_SECPREF_WRITE_FILE |  XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY);

print $proc->transformToXML( $dom ); 
if (file_exists($outputfile)) {
    print "$outputfile exists, but shouldn't!\n";
} else {
    print "OK, no file created\n";
}

#don't throw a warning if both ini and through-the-method have the same value
$proc->setSecurityPrefs(XSL_SECPREF_NONE);

print $proc->transformToXML( $dom ); 

if (file_exists($outputfile)) {
    print "OK, file exists\n";
} else {
    print "$outputfile doesn't exist, but should!\n";
}
unlink($outputfile);



--EXPECTF--
Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d

Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s

Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d

Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
OK, no file created

Deprecated: XSLTProcessor::transformToXml(): The xsl.security_prefs php.ini option is deprecated; use XsltProcessor->setSecurityPrefs() instead in %s on line %d
OK, file exists

Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d

Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s

Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d

Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
OK, no file created

Deprecated: XSLTProcessor::transformToXml(): The xsl.security_prefs php.ini option is deprecated; use XsltProcessor->setSecurityPrefs() instead in %s on line %d

Notice: XSLTProcessor::transformToXml(): The xsl.security_prefs php.ini was not used, since the  XsltProcessor->setSecurityPrefs() method was used in %s on line %d

Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d

Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s

Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d

Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d
OK, no file created
OK, file exists
--CREDITS--
Christian Stocker, chregu@php.net