diff options
| author | Christian Stocker <chregu@php.net> | 2011-10-10 07:59:19 +0000 |
|---|---|---|
| committer | Christian Stocker <chregu@php.net> | 2011-10-10 07:59:19 +0000 |
| commit | eb039d57839a81f43ae010877c9d91053de025f1 (patch) | |
| tree | a8d359270fbbce9d458700b49a23c0c29e2de0d1 /ext/xsl/tests | |
| parent | da110e2065d9a45756194051a9f02637e5d6fbf7 (diff) | |
| download | php-git-eb039d57839a81f43ae010877c9d91053de025f1.tar.gz | |
Added the xsl.security_prefs option to 5_4 and trunk and
mark it as deprecated for BC-reasons
Added tests for ini option and combination of both
Diffstat (limited to 'ext/xsl/tests')
| -rw-r--r-- | ext/xsl/tests/bug54446_with_ini.phpt | 135 |
1 files changed, 135 insertions, 0 deletions
diff --git a/ext/xsl/tests/bug54446_with_ini.phpt b/ext/xsl/tests/bug54446_with_ini.phpt new file mode 100644 index 0000000000..fbe03659d3 --- /dev/null +++ b/ext/xsl/tests/bug54446_with_ini.phpt @@ -0,0 +1,135 @@ +--TEST-- +Bug #54446 (Arbitrary file creation via libxslt 'output' extension with php.ini setting) +--SKIPIF-- +<?php +if (!extension_loaded('xsl')) die("skip Extension XSL is required\n"); +?> +--FILE-- +<?php +include("prepare.inc"); + +$outputfile = dirname(__FILE__)."/bug54446test.txt"; +if (file_exists($outputfile)) { + unlink($outputfile); +} + +$sXsl = <<<EOT +<xsl:stylesheet version="1.0" + xmlns:xsl="http://www.w3.org/1999/XSL/Transform" + xmlns:sax="http://icl.com/saxon" + extension-element-prefixes="sax"> + + <xsl:template match="/"> + <sax:output href="$outputfile" method="text"> + <xsl:value-of select="'0wn3d via PHP and libxslt ...'"/> + </sax:output> + </xsl:template> + +</xsl:stylesheet> +EOT; + +$xsl->loadXML( $sXsl ); + +# START XSLT +$proc->importStylesheet( $xsl ); + +# TRASNFORM & PRINT +print $proc->transformToXML( $dom ); + + +if (file_exists($outputfile)) { + print "$outputfile exists, but shouldn't!\n"; +} else { + print "OK, no file created\n"; +} + +#SET NO SECURITY PREFS +ini_set("xsl.security_prefs", XSL_SECPREF_NONE); + +# TRASNFORM & PRINT +print $proc->transformToXML( $dom ); + + +if (file_exists($outputfile)) { + print "OK, file exists\n"; +} else { + print "$outputfile doesn't exist, but should!\n"; +} + +unlink($outputfile); + +#SET SECURITY PREFS AGAIN +ini_set("xsl.security_prefs", XSL_SECPREF_WRITE_FILE | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY); + +# TRASNFORM & PRINT +print $proc->transformToXML( $dom ); + +if (file_exists($outputfile)) { + print "$outputfile exists, but shouldn't!\n"; +} else { + print "OK, no file created\n"; +} + +#SET NO SECURITY PREFS with ini, but set them with ->setSecurityPrefs +ini_set("xsl.security_prefs", XSL_SECPREF_NONE); +$proc->setSecurityPrefs( XSL_SECPREF_WRITE_FILE | XSL_SECPREF_WRITE_NETWORK | XSL_SECPREF_CREATE_DIRECTORY); + +print $proc->transformToXML( $dom ); +if (file_exists($outputfile)) { + print "$outputfile exists, but shouldn't!\n"; +} else { + print "OK, no file created\n"; +} + +#don't throw a warning if both ini and through-the-method have the same value +$proc->setSecurityPrefs(XSL_SECPREF_NONE); + +print $proc->transformToXML( $dom ); + +if (file_exists($outputfile)) { + print "OK, file exists\n"; +} else { + print "$outputfile doesn't exist, but should!\n"; +} +unlink($outputfile); + + + +--EXPECTF-- +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d + +Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s + +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d + +Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d +OK, no file created + +Deprecated: XSLTProcessor::transformToXml(): The xsl.security_prefs php.ini option is deprecated; use XsltProcessor->setSecurityPrefs() instead in %s on line %d +OK, file exists + +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d + +Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s + +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d + +Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d +OK, no file created + +Deprecated: XSLTProcessor::transformToXml(): The xsl.security_prefs php.ini option is deprecated; use XsltProcessor->setSecurityPrefs() instead in %s on line %d + +Notice: XSLTProcessor::transformToXml(): The xsl.security_prefs php.ini was not used, since the XsltProcessor->setSecurityPrefs() method was used in %s on line %d + +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %s element output in %s on line %d + +Warning: XSLTProcessor::transformToXml(): File write for %s/bug54446test.txt refused in %s on line %s + +Warning: XSLTProcessor::transformToXml(): runtime error: file %s line %d element output in %s on line %d + +Warning: XSLTProcessor::transformToXml(): xsltDocumentElem: write rights for %s/bug54446test.txt denied in %s on line %d +OK, no file created +OK, file exists +--CREDITS-- +Christian Stocker, chregu@php.net + |