1 files changed, 104 insertions, 0 deletions
diff --git a/src/tests/disable_xxe_xml_parse.phpt b/src/tests/disable_xxe_xml_parse.phpt
new file mode 100644
index 0000000..944bc38
--- /dev/null
+++ b/src/tests/disable_xxe_xml_parse.phpt
@@ -0,0 +1,104 @@
+--TEST--
+Disable XXE
+--SKIPIF--
+<?php
+ if (!extension_loaded("snuffleupagus")) die "skip";
+ if (!extension_loaded("xml")) die "skip";
+ ?>
+--INI--
+extension=`php-config --extension-dir`/xml.so 
+sp.configuration_file={PWD}/config/disable_xxe.ini
+--FILE--
+<?php 
+$dir = __DIR__;
+$content = 'WARNING, external entity loaded!';
+file_put_contents('content.txt', $content);
+$xml = <<<EOD
+<?xml version="1.0"?>
+<!DOCTYPE root
+[
+<!ENTITY foo SYSTEM "file://$dir/content.txt">
+]>
+<test><testing>&foo;</testing></test>
+EOD;
+file_put_contents('content.xml', $xml);
+function create_parser() {
+        $parser = xml_parser_create();
+        xml_set_element_handler(
+                $parser,
+                function($parser, $name, array $attributes) {
+                        var_dump($name);
+                        echo "\n";
+                        var_dump($attributes);
+                },
+                function($parser, $name) {
+                        var_dump($name);
+                }
+        );
+        xml_set_character_data_handler(
+                $parser,
+                function ($parser, $text){
+                        echo 'text' . $text;
+                }
+        );
+        return $parser;
+}
+libxml_disable_entity_loader(true);
+$parser = create_parser();
+$doc = xml_parse($parser, $xml, true);
+xml_parser_free($parser);
+libxml_disable_entity_loader(false);
+$parser = create_parser();
+$doc = xml_parse($parser, $xml, true);
+xml_parser_free($parser);
+$xml = "<test><testing>foo</testing></test>";
+file_put_contents('content.xml', $xml);
+$parser = create_parser();
+$doc = xml_parse($parser, $xml, true);
+xml_parser_free($parser);
+--EXPECT--
+string(4) "TEST"
+array(0) {
+}
+string(7) "TESTING"
+array(0) {
+}
+string(7) "TESTING"
+string(4) "TEST"
+string(4) "TEST"
+array(0) {
+}
+string(7) "TESTING"
+array(0) {
+}
+string(7) "TESTING"
+string(4) "TEST"
+string(4) "TEST"
+array(0) {
+}
+string(7) "TESTING"
+array(0) {
+}
+textfoostring(7) "TESTING"
+string(4) "TEST"
+--CLEAN--
+<?php
+$dir = __DIR__;
+unlink($dir . "/content.xml");
+unlink($dir . "/content.txt");
+?>

diff --git a/src/tests/disable_xxe_xml_parse.phpt b/src/tests/disable_xxe_xml_parse.phpt new file mode 100644 index 0000000..944bc38 --- /dev/null +++ b/src/tests/disable_xxe_xml_parse.phpt
@@ -0,0 +1,104 @@
	1	--TEST--
	2	Disable XXE
	3	--SKIPIF--
	4	<?php
	5	if (!extension_loaded("snuffleupagus")) die "skip";
	6	if (!extension_loaded("xml")) die "skip";
	7	?>
	8	--INI--
	9	extension=`php-config --extension-dir`/xml.so
	10	sp.configuration_file={PWD}/config/disable_xxe.ini
	11	--FILE--
	12	<?php
	13	$dir = __DIR__;
	14	$content = 'WARNING, external entity loaded!';
	15	file_put_contents('content.txt', $content);
	16
	17	$xml = <<<EOD
	18	<?xml version="1.0"?>
	19	<!DOCTYPE root
	20	[
	21	<!ENTITY foo SYSTEM "file://$dir/content.txt">
	22	]>
	23	<test><testing>&foo;</testing></test>
	24	EOD;
	25
	26	file_put_contents('content.xml', $xml);
	27
	28	function create_parser() {
	29	$parser = xml_parser_create();
	30	xml_set_element_handler(
	31	$parser,
	32	function($parser, $name, array $attributes) {
	33	var_dump($name);
	34	echo "\n";
	35	var_dump($attributes);
	36	},
	37	function($parser, $name) {
	38	var_dump($name);
	39	}
	40	);
	41
	42	xml_set_character_data_handler(
	43	$parser,
	44	function ($parser, $text){
	45	echo 'text' . $text;
	46	}
	47	);
	48
	49	return $parser;
	50	}
	51
	52	libxml_disable_entity_loader(true);
	53	$parser = create_parser();
	54	$doc = xml_parse($parser, $xml, true);
	55	xml_parser_free($parser);
	56
	57	libxml_disable_entity_loader(false);
	58	$parser = create_parser();
	59	$doc = xml_parse($parser, $xml, true);
	60	xml_parser_free($parser);
	61
	62	$xml = "<test><testing>foo</testing></test>";
	63	file_put_contents('content.xml', $xml);
	64	$parser = create_parser();
	65	$doc = xml_parse($parser, $xml, true);
	66	xml_parser_free($parser);
	67
	68	--EXPECT--
	69	string(4) "TEST"
	70
	71	array(0) {
	72	}
	73	string(7) "TESTING"
	74
	75	array(0) {
	76	}
	77	string(7) "TESTING"
	78	string(4) "TEST"
	79	string(4) "TEST"
	80
	81	array(0) {
	82	}
	83	string(7) "TESTING"
	84
	85	array(0) {
	86	}
	87	string(7) "TESTING"
	88	string(4) "TEST"
	89	string(4) "TEST"
	90
	91	array(0) {
	92	}
	93	string(7) "TESTING"
	94
	95	array(0) {
	96	}
	97	textfoostring(7) "TESTING"
	98	string(4) "TEST"
	99	--CLEAN--
	100	<?php
	101	$dir = __DIR__;
	102	unlink($dir . "/content.xml");
	103	unlink($dir . "/content.txt");
	104	?>