7 files changed, 338 insertions, 0 deletions
diff --git a/src/tests/xxe/config/disable_xxe.ini b/src/tests/xxe/config/disable_xxe.ini
new file mode 100644
index 0000000..bc9d1f2
--- /dev/null
+++ b/src/tests/xxe/config/disable_xxe.ini
@@ -0,0 +1 @@
+sp.disable_xxe.enable();
diff --git a/src/tests/xxe/config/disable_xxe_disable.ini b/src/tests/xxe/config/disable_xxe_disable.ini
new file mode 100644
index 0000000..bb1e432
--- /dev/null
+++ b/src/tests/xxe/config/disable_xxe_disable.ini
@@ -0,0 +1 @@
+sp.disable_xxe.disable();
diff --git a/src/tests/xxe/disable_xxe_dom.phpt b/src/tests/xxe/disable_xxe_dom.phpt
new file mode 100644
index 0000000..e1459e3
--- /dev/null
+++ b/src/tests/xxe/disable_xxe_dom.phpt
@@ -0,0 +1,73 @@
+--TEST--
+Disable XXE
+--SKIPIF--
+<?php
+ if (!extension_loaded("snuffleupagus")) {
+  echo "skip"; 
+} elseif (!extension_loaded("dom")) {
+        echo "skip";
+}
+ ?>
+--INI--
+sp.configuration_file={PWD}/config/disable_xxe.ini
+--FILE--
+<?php 
+$dir = __DIR__;
+$content = 'WARNING, external entity loaded!';
+file_put_contents('content.txt', $content);
+$xml = <<<EOD
+<?xml version="1.0"?>
+<!DOCTYPE root
+[
+<!ENTITY foo SYSTEM "file://$dir/content.txt">
+]>
+<test><testing>&foo;</testing></test>
+EOD;
+file_put_contents('content.xml', $xml);
+libxml_disable_entity_loader(true);
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD|LIBXML_NOENT);
+printf("libxml_disable_entity to true: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+libxml_disable_entity_loader(false);
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD|LIBXML_NOENT);
+printf("libxml_disable_entity to false: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+$xml = "<test><testing>foo</testing></test>";
+file_put_contents('content.xml', $xml);
+libxml_disable_entity_loader(false);
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD|LIBXML_NOENT);
+printf("without xxe: %s", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+?>
+--EXPECTF--
+Warning: DOMDocument::loadXML(): I/O warning : failed to load external entity "file://%a/content.txt" in %a/disable_xxe_dom.php on line %d
+Warning: DOMDocument::loadXML(): Failure to process entity foo in Entity, line: %d in %a/disable_xxe_dom.php on line %d
+Warning: DOMDocument::loadXML(): Entity 'foo' not defined in Entity, line: %d in %a/disable_xxe_dom.php on line %d
+Notice: Trying to get property %a in %a/disable_xxe_dom.php on line %d
+libxml_disable_entity to true: 
+Warning: DOMDocument::loadXML(): I/O warning : failed to load external entity "file://%a/content.txt" in %a/disable_xxe_dom.php on line %d
+Warning: DOMDocument::loadXML(): Failure to process entity foo in Entity, line: %d in %a/disable_xxe_dom.php on line %d
+Warning: DOMDocument::loadXML(): Entity 'foo' not defined in Entity, line: %d in %a/disable_xxe_dom.php on line %d
+Notice: Trying to get property %a in %a/disable_xxe_dom.php on line %d
+libxml_disable_entity to false: 
+without xxe: foo
+--CLEAN--
+<?php
+$dir = __DIR__;
+unlink($dir . "content.xml");
+unlink($dir . "content.txt");
+?>
diff --git a/src/tests/xxe/disable_xxe_dom_disabled.phpt b/src/tests/xxe/disable_xxe_dom_disabled.phpt
new file mode 100644
index 0000000..a791ebc
--- /dev/null
+++ b/src/tests/xxe/disable_xxe_dom_disabled.phpt
@@ -0,0 +1,55 @@
+--TEST--
+Disable XXE
+--SKIPIF--
+<?php
+ if (!extension_loaded("snuffleupagus")) echo "skip";
+ if (!extension_loaded("dom")) echo "skip";
+ ?>
+--INI--
+sp.configuration_file={PWD}/config/disable_xxe_disable.ini
+--FILE--
+<?php 
+$dir = __DIR__;
+$content = '<content>WARNING, external entity loaded!</content>';
+file_put_contents($dir . '/content.txt', $content);
+$xml = <<<EOD
+<?xml version="1.0"?>
+<!DOCTYPE root
+[
+<!ENTITY foo SYSTEM "file://$dir/content.txt">
+]>
+<test><testing>&foo;</testing></test>
+EOD;
+file_put_contents($dir . '/content.xml', $xml);
+libxml_disable_entity_loader(true);
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD|LIBXML_NOENT);
+printf("libxml_disable_entity to true: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+libxml_disable_entity_loader(false);
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD|LIBXML_NOENT);
+printf("libxml_disable_entity to false: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+$xml = "<test><testing>foo</testing></test>";
+file_put_contents('content.xml', $xml);
+libxml_disable_entity_loader(false);
+$dom = new DOMDocument('1.0');
+$dom->loadXML($xml, LIBXML_DTDATTR|LIBXML_DTDLOAD|LIBXML_NOENT);
+printf("without xxe: %s", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
+?>
+--EXPECTF-- 
+libxml_disable_entity to true: WARNING, external entity loaded!
+libxml_disable_entity to false: WARNING, external entity loaded!
+without xxe: foo
+--CLEAN--
+<?php
+$dir = __DIR__;
+unlink($dir . "/content.xml");
+unlink($dir . "/content.txt");
+?>
diff --git a/src/tests/xxe/disable_xxe_simplexml.phpt b/src/tests/xxe/disable_xxe_simplexml.phpt
new file mode 100644
index 0000000..88396c0
--- /dev/null
+++ b/src/tests/xxe/disable_xxe_simplexml.phpt
@@ -0,0 +1,51 @@
+--TEST--
+Disable XXE
+--SKIPIF--
+<?php
+ if (!extension_loaded("snuffleupagus")) echo "skip";
+ if (!extension_loaded("simplexml")) echo "skip";
+ ?>
+--INI--
+sp.configuration_file={PWD}/config/disable_xxe.ini
+--FILE--
+<?php 
+$dir = __DIR__;
+$content = 'WARNING, external entity loaded!';
+file_put_contents('content.txt', $content);
+$xml = <<<EOD
+<?xml version="1.0"?>
+<!DOCTYPE root
+[
+<!ENTITY foo SYSTEM "file://$dir/content.txt">
+]>
+<test><testing>&foo;</testing></test>
+EOD;
+file_put_contents('content.xml', $xml);
+libxml_disable_entity_loader(true);
+$doc = new SimpleXMLElement($xml);
+printf("libxml_disable_entity to true: %s\n", $doc->testing);
+libxml_disable_entity_loader(false);
+$doc = new SimpleXMLElement($xml);
+printf("libxml_disable_entity to false: %s\n", $doc->testing);
+$xml = "<test><testing>foo</testing></test>";
+file_put_contents('content.xml', $xml);
+$doc = new SimpleXMLElement($xml);
+printf("without xxe: %s", $doc->testing);
+?>
+--EXPECT--
+libxml_disable_entity to true: 
+libxml_disable_entity to false: 
+without xxe: foo
+--CLEAN--
+<?php
+$dir = __DIR__;
+unlink($dir . "/content.xml");
+unlink($dir . "/content.txt");
+?>
diff --git a/src/tests/xxe/disable_xxe_simplexml_oop.phpt b/src/tests/xxe/disable_xxe_simplexml_oop.phpt
new file mode 100644
index 0000000..43c4fbf
--- /dev/null
+++ b/src/tests/xxe/disable_xxe_simplexml_oop.phpt
@@ -0,0 +1,51 @@
+--TEST--
+Disable XXE
+--SKIPIF--
+<?php
+ if (!extension_loaded("snuffleupagus")) echo "skip";
+ if (!extension_loaded("simplexml")) echo "skip";
+ ?>
+--INI--
+sp.configuration_file={PWD}/config/disable_xxe.ini
+--FILE--
+<?php 
+$dir = __DIR__;
+$content = 'WARNING, external entity loaded!';
+file_put_contents('content.txt', $content);
+$xml = <<<EOD
+<?xml version="1.0"?>
+<!DOCTYPE root
+[
+<!ENTITY foo SYSTEM "file://$dir/content.txt">
+]>
+<test><testing>&foo;</testing></test>
+EOD;
+file_put_contents('content.xml', $xml);
+libxml_disable_entity_loader(true);
+$doc = simplexml_load_string($xml);
+printf("libxml_disable_entity to true: %s\n", $doc->testing);
+libxml_disable_entity_loader(false);
+$doc = simplexml_load_string($xml);
+printf("libxml_disable_entity to false: %s\n", $doc->testing);
+$xml = "<test><testing>foo</testing></test>";
+file_put_contents('content.xml', $xml);
+$doc = simplexml_load_string($xml);
+printf("without xxe: %s", $doc->testing);
+?>
+--EXPECT--
+libxml_disable_entity to true: 
+libxml_disable_entity to false: 
+without xxe: foo
+--CLEAN--
+<?php
+$dir = __DIR__;
+unlink($dir . "/content.xml");
+unlink($dir . "/content.txt");
+?>
diff --git a/src/tests/xxe/disable_xxe_xml_parse.phpt b/src/tests/xxe/disable_xxe_xml_parse.phpt
new file mode 100644
index 0000000..ca77729
--- /dev/null
+++ b/src/tests/xxe/disable_xxe_xml_parse.phpt
@@ -0,0 +1,106 @@
+--TEST--
+Disable XXE in xml_parse
+--SKIPIF--
+<?php
+ if (!extension_loaded("snuffleupagus")) {
+  echo "skip because snuffleupagus isn't loaded";
+} elseif (!extension_loaded("xml")) {
+  echo "skip because the `xml` extension isn't loaded";
+}
+ ?>
+--INI--
+sp.configuration_file={PWD}/config/disable_xxe.ini
+--FILE--
+<?php 
+$dir = __DIR__;
+$content = 'WARNING, external entity loaded!';
+file_put_contents('content.txt', $content);
+$xml = <<<EOD
+<?xml version="1.0"?>
+<!DOCTYPE root
+[
+<!ENTITY foo SYSTEM "file://$dir/content.txt">
+]>
+<test><testing>&foo;</testing></test>
+EOD;
+file_put_contents('content.xml', $xml);
+function create_parser() {
+        $parser = xml_parser_create();
+        xml_set_element_handler(
+                $parser,
+                function($parser, $name, array $attributes) {
+                        var_dump($name);
+                        echo "\n";
+                        var_dump($attributes);
+                },
+                function($parser, $name) {
+                        var_dump($name);
+                }
+        );
+        xml_set_character_data_handler(
+                $parser,
+                function ($parser, $text){
+                        echo 'text' . $text;
+                }
+        );
+        return $parser;
+}
+libxml_disable_entity_loader(true);
+$parser = create_parser();
+$doc = xml_parse($parser, $xml, true);
+xml_parser_free($parser);
+libxml_disable_entity_loader(false);
+$parser = create_parser();
+$doc = xml_parse($parser, $xml, true);
+xml_parser_free($parser);
+$xml = "<test><testing>foo</testing></test>";
+file_put_contents('content.xml', $xml);
+$parser = create_parser();
+$doc = xml_parse($parser, $xml, true);
+xml_parser_free($parser);
+--EXPECT--
+string(4) "TEST"
+array(0) {
+}
+string(7) "TESTING"
+array(0) {
+}
+string(7) "TESTING"
+string(4) "TEST"
+string(4) "TEST"
+array(0) {
+}
+string(7) "TESTING"
+array(0) {
+}
+string(7) "TESTING"
+string(4) "TEST"
+string(4) "TEST"
+array(0) {
+}
+string(7) "TESTING"
+array(0) {
+}
+textfoostring(7) "TESTING"
+string(4) "TEST"
+--CLEAN--
+<?php
+$dir = __DIR__;
+unlink($dir . "/content.xml");
+unlink($dir . "/content.txt");
+?>

diff --git a/src/tests/xxe/config/disable_xxe.ini b/src/tests/xxe/config/disable_xxe.ini new file mode 100644 index 0000000..bc9d1f2 --- /dev/null +++ b/src/tests/xxe/config/disable_xxe.ini
@@ -0,0 +1 @@
		sp.disable_xxe.enable();


diff --git a/src/tests/xxe/config/disable_xxe_disable.ini b/src/tests/xxe/config/disable_xxe_disable.ini new file mode 100644 index 0000000..bb1e432 --- /dev/null +++ b/src/tests/xxe/config/disable_xxe_disable.ini
@@ -0,0 +1 @@
		sp.disable_xxe.disable();


diff --git a/src/tests/xxe/disable_xxe_dom.phpt b/src/tests/xxe/disable_xxe_dom.phpt new file mode 100644 index 0000000..e1459e3 --- /dev/null +++ b/src/tests/xxe/disable_xxe_dom.phpt
@@ -0,0 +1,73 @@
	1	--TEST--
	2	Disable XXE
	3	--SKIPIF--
	4	<?php
	5	if (!extension_loaded("snuffleupagus")) {
	6	echo "skip";
	7	} elseif (!extension_loaded("dom")) {
	8	echo "skip";
	9	}
	10	?>
	11	--INI--
	12	sp.configuration_file={PWD}/config/disable_xxe.ini
	13	--FILE--
	14	<?php
	15	$dir = __DIR__;
	16	$content = 'WARNING, external entity loaded!';
	17	file_put_contents('content.txt', $content);
	18
	19	$xml = <<<EOD
	20	<?xml version="1.0"?>
	21	<!DOCTYPE root
	22	[
	23	<!ENTITY foo SYSTEM "file://$dir/content.txt">
	24	]>
	25	<test><testing>&foo;</testing></test>
	26	EOD;
	27
	28	file_put_contents('content.xml', $xml);
	29
	30	libxml_disable_entity_loader(true);
	31	$dom = new DOMDocument('1.0');
	32	$dom->loadXML($xml, LIBXML_DTDATTR\|LIBXML_DTDLOAD\|LIBXML_NOENT);
	33	printf("libxml_disable_entity to true: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
	34
	35	libxml_disable_entity_loader(false);
	36	$dom = new DOMDocument('1.0');
	37	$dom->loadXML($xml, LIBXML_DTDATTR\|LIBXML_DTDLOAD\|LIBXML_NOENT);
	38	printf("libxml_disable_entity to false: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
	39
	40	$xml = "<test><testing>foo</testing></test>";
	41	file_put_contents('content.xml', $xml);
	42
	43	libxml_disable_entity_loader(false);
	44	$dom = new DOMDocument('1.0');
	45	$dom->loadXML($xml, LIBXML_DTDATTR\|LIBXML_DTDLOAD\|LIBXML_NOENT);
	46	printf("without xxe: %s", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
	47
	48	?>
	49	--EXPECTF--
	50	Warning: DOMDocument::loadXML(): I/O warning : failed to load external entity "file://%a/content.txt" in %a/disable_xxe_dom.php on line %d
	51
	52	Warning: DOMDocument::loadXML(): Failure to process entity foo in Entity, line: %d in %a/disable_xxe_dom.php on line %d
	53
	54	Warning: DOMDocument::loadXML(): Entity 'foo' not defined in Entity, line: %d in %a/disable_xxe_dom.php on line %d
	55
	56	Notice: Trying to get property %a in %a/disable_xxe_dom.php on line %d
	57	libxml_disable_entity to true:
	58
	59	Warning: DOMDocument::loadXML(): I/O warning : failed to load external entity "file://%a/content.txt" in %a/disable_xxe_dom.php on line %d
	60
	61	Warning: DOMDocument::loadXML(): Failure to process entity foo in Entity, line: %d in %a/disable_xxe_dom.php on line %d
	62
	63	Warning: DOMDocument::loadXML(): Entity 'foo' not defined in Entity, line: %d in %a/disable_xxe_dom.php on line %d
	64
	65	Notice: Trying to get property %a in %a/disable_xxe_dom.php on line %d
	66	libxml_disable_entity to false:
	67	without xxe: foo
	68	--CLEAN--
	69	<?php
	70	$dir = __DIR__;
	71	unlink($dir . "content.xml");
	72	unlink($dir . "content.txt");
	73	?>


diff --git a/src/tests/xxe/disable_xxe_dom_disabled.phpt b/src/tests/xxe/disable_xxe_dom_disabled.phpt new file mode 100644 index 0000000..a791ebc --- /dev/null +++ b/src/tests/xxe/disable_xxe_dom_disabled.phpt
@@ -0,0 +1,55 @@
	1	--TEST--
	2	Disable XXE
	3	--SKIPIF--
	4	<?php
	5	if (!extension_loaded("snuffleupagus")) echo "skip";
	6	if (!extension_loaded("dom")) echo "skip";
	7	?>
	8	--INI--
	9	sp.configuration_file={PWD}/config/disable_xxe_disable.ini
	10	--FILE--
	11	<?php
	12	$dir = __DIR__;
	13	$content = '<content>WARNING, external entity loaded!</content>';
	14	file_put_contents($dir . '/content.txt', $content);
	15
	16	$xml = <<<EOD
	17	<?xml version="1.0"?>
	18	<!DOCTYPE root
	19	[
	20	<!ENTITY foo SYSTEM "file://$dir/content.txt">
	21	]>
	22	<test><testing>&foo;</testing></test>
	23	EOD;
	24
	25	file_put_contents($dir . '/content.xml', $xml);
	26
	27	libxml_disable_entity_loader(true);
	28	$dom = new DOMDocument('1.0');
	29	$dom->loadXML($xml, LIBXML_DTDATTR\|LIBXML_DTDLOAD\|LIBXML_NOENT);
	30	printf("libxml_disable_entity to true: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
	31
	32	libxml_disable_entity_loader(false);
	33	$dom = new DOMDocument('1.0');
	34	$dom->loadXML($xml, LIBXML_DTDATTR\|LIBXML_DTDLOAD\|LIBXML_NOENT);
	35	printf("libxml_disable_entity to false: %s\n", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
	36
	37	$xml = "<test><testing>foo</testing></test>";
	38	file_put_contents('content.xml', $xml);
	39
	40	libxml_disable_entity_loader(false);
	41	$dom = new DOMDocument('1.0');
	42	$dom->loadXML($xml, LIBXML_DTDATTR\|LIBXML_DTDLOAD\|LIBXML_NOENT);
	43	printf("without xxe: %s", $dom->getElementsByTagName('testing')->item(0)->nodeValue);
	44
	45	?>
	46	--EXPECTF--
	47	libxml_disable_entity to true: WARNING, external entity loaded!
	48	libxml_disable_entity to false: WARNING, external entity loaded!
	49	without xxe: foo
	50	--CLEAN--
	51	<?php
	52	$dir = __DIR__;
	53	unlink($dir . "/content.xml");
	54	unlink($dir . "/content.txt");
	55	?>


diff --git a/src/tests/xxe/disable_xxe_simplexml.phpt b/src/tests/xxe/disable_xxe_simplexml.phpt new file mode 100644 index 0000000..88396c0 --- /dev/null +++ b/src/tests/xxe/disable_xxe_simplexml.phpt
@@ -0,0 +1,51 @@
	1	--TEST--
	2	Disable XXE
	3	--SKIPIF--
	4	<?php
	5	if (!extension_loaded("snuffleupagus")) echo "skip";
	6	if (!extension_loaded("simplexml")) echo "skip";
	7	?>
	8	--INI--
	9	sp.configuration_file={PWD}/config/disable_xxe.ini
	10	--FILE--
	11	<?php
	12	$dir = __DIR__;
	13	$content = 'WARNING, external entity loaded!';
	14	file_put_contents('content.txt', $content);
	15
	16	$xml = <<<EOD
	17	<?xml version="1.0"?>
	18	<!DOCTYPE root
	19	[
	20	<!ENTITY foo SYSTEM "file://$dir/content.txt">
	21	]>
	22	<test><testing>&foo;</testing></test>
	23	EOD;
	24
	25	file_put_contents('content.xml', $xml);
	26
	27	libxml_disable_entity_loader(true);
	28	$doc = new SimpleXMLElement($xml);
	29	printf("libxml_disable_entity to true: %s\n", $doc->testing);
	30
	31	libxml_disable_entity_loader(false);
	32	$doc = new SimpleXMLElement($xml);
	33	printf("libxml_disable_entity to false: %s\n", $doc->testing);
	34
	35	$xml = "<test><testing>foo</testing></test>";
	36	file_put_contents('content.xml', $xml);
	37
	38	$doc = new SimpleXMLElement($xml);
	39	printf("without xxe: %s", $doc->testing);
	40
	41	?>
	42	--EXPECT--
	43	libxml_disable_entity to true:
	44	libxml_disable_entity to false:
	45	without xxe: foo
	46	--CLEAN--
	47	<?php
	48	$dir = __DIR__;
	49	unlink($dir . "/content.xml");
	50	unlink($dir . "/content.txt");
	51	?>


diff --git a/src/tests/xxe/disable_xxe_simplexml_oop.phpt b/src/tests/xxe/disable_xxe_simplexml_oop.phpt new file mode 100644 index 0000000..43c4fbf --- /dev/null +++ b/src/tests/xxe/disable_xxe_simplexml_oop.phpt
@@ -0,0 +1,51 @@
	1	--TEST--
	2	Disable XXE
	3	--SKIPIF--
	4	<?php
	5	if (!extension_loaded("snuffleupagus")) echo "skip";
	6	if (!extension_loaded("simplexml")) echo "skip";
	7	?>
	8	--INI--
	9	sp.configuration_file={PWD}/config/disable_xxe.ini
	10	--FILE--
	11	<?php
	12	$dir = __DIR__;
	13	$content = 'WARNING, external entity loaded!';
	14	file_put_contents('content.txt', $content);
	15
	16	$xml = <<<EOD
	17	<?xml version="1.0"?>
	18	<!DOCTYPE root
	19	[
	20	<!ENTITY foo SYSTEM "file://$dir/content.txt">
	21	]>
	22	<test><testing>&foo;</testing></test>
	23	EOD;
	24
	25	file_put_contents('content.xml', $xml);
	26
	27	libxml_disable_entity_loader(true);
	28	$doc = simplexml_load_string($xml);
	29	printf("libxml_disable_entity to true: %s\n", $doc->testing);
	30
	31	libxml_disable_entity_loader(false);
	32	$doc = simplexml_load_string($xml);
	33	printf("libxml_disable_entity to false: %s\n", $doc->testing);
	34
	35	$xml = "<test><testing>foo</testing></test>";
	36	file_put_contents('content.xml', $xml);
	37
	38	$doc = simplexml_load_string($xml);
	39	printf("without xxe: %s", $doc->testing);
	40
	41	?>
	42	--EXPECT--
	43	libxml_disable_entity to true:
	44	libxml_disable_entity to false:
	45	without xxe: foo
	46	--CLEAN--
	47	<?php
	48	$dir = __DIR__;
	49	unlink($dir . "/content.xml");
	50	unlink($dir . "/content.txt");
	51	?>


diff --git a/src/tests/xxe/disable_xxe_xml_parse.phpt b/src/tests/xxe/disable_xxe_xml_parse.phpt new file mode 100644 index 0000000..ca77729 --- /dev/null +++ b/src/tests/xxe/disable_xxe_xml_parse.phpt
@@ -0,0 +1,106 @@
	1	--TEST--
	2	Disable XXE in xml_parse
	3	--SKIPIF--
	4	<?php
	5	if (!extension_loaded("snuffleupagus")) {
	6	echo "skip because snuffleupagus isn't loaded";
	7	} elseif (!extension_loaded("xml")) {
	8	echo "skip because the `xml` extension isn't loaded";
	9	}
	10	?>
	11	--INI--
	12	sp.configuration_file={PWD}/config/disable_xxe.ini
	13	--FILE--
	14	<?php
	15	$dir = __DIR__;
	16	$content = 'WARNING, external entity loaded!';
	17	file_put_contents('content.txt', $content);
	18
	19	$xml = <<<EOD
	20	<?xml version="1.0"?>
	21	<!DOCTYPE root
	22	[
	23	<!ENTITY foo SYSTEM "file://$dir/content.txt">
	24	]>
	25	<test><testing>&foo;</testing></test>
	26	EOD;
	27
	28	file_put_contents('content.xml', $xml);
	29
	30	function create_parser() {
	31	$parser = xml_parser_create();
	32	xml_set_element_handler(
	33	$parser,
	34	function($parser, $name, array $attributes) {
	35	var_dump($name);
	36	echo "\n";
	37	var_dump($attributes);
	38	},
	39	function($parser, $name) {
	40	var_dump($name);
	41	}
	42	);
	43
	44	xml_set_character_data_handler(
	45	$parser,
	46	function ($parser, $text){
	47	echo 'text' . $text;
	48	}
	49	);
	50
	51	return $parser;
	52	}
	53
	54	libxml_disable_entity_loader(true);
	55	$parser = create_parser();
	56	$doc = xml_parse($parser, $xml, true);
	57	xml_parser_free($parser);
	58
	59	libxml_disable_entity_loader(false);
	60	$parser = create_parser();
	61	$doc = xml_parse($parser, $xml, true);
	62	xml_parser_free($parser);
	63
	64	$xml = "<test><testing>foo</testing></test>";
	65	file_put_contents('content.xml', $xml);
	66	$parser = create_parser();
	67	$doc = xml_parse($parser, $xml, true);
	68	xml_parser_free($parser);
	69
	70	--EXPECT--
	71	string(4) "TEST"
	72
	73	array(0) {
	74	}
	75	string(7) "TESTING"
	76
	77	array(0) {
	78	}
	79	string(7) "TESTING"
	80	string(4) "TEST"
	81	string(4) "TEST"
	82
	83	array(0) {
	84	}
	85	string(7) "TESTING"
	86
	87	array(0) {
	88	}
	89	string(7) "TESTING"
	90	string(4) "TEST"
	91	string(4) "TEST"
	92
	93	array(0) {
	94	}
	95	string(7) "TESTING"
	96
	97	array(0) {
	98	}
	99	textfoostring(7) "TESTING"
	100	string(4) "TEST"
	101	--CLEAN--
	102	<?php
	103	$dir = __DIR__;
	104	unlink($dir . "/content.xml");
	105	unlink($dir . "/content.txt");
	106	?>