Execute a PHP function that returns an array from an XSL file
I am also a noob when it comes to XSL. To be honest, I had no idea it could be this powerful... and dangerous. But I will have a shot at this anyway.
I don't know if it is possible to get the output from a function returning an array. Perhaps you can nest function calls somehow? But given my lack of knowledge about XSL I can't tell you how. So lets work around the whole problem instead. Is there a way to get the directory listing without having to deal with arrays at all?
Enters the PHP manual. The two following functions look useful:
resource opendir ( string $path [, resource $context ] )
Opens up a directory handle to be used in subsequent
closedir()
,readdir()
, andrewinddir()
calls.
string readdir ([ resource $dir_handle ] )
Returns the name of the next entry in the directory. The entries are returned in the order in which they are stored by the filesystem. [...] If the directory handle is not specified, the last link opened by
opendir()
is assumed.
So you will not be able to get the resource from opendir
, but since readdir
kindly assumes you want to read from the last resource it might work anyway. I suggest an attack file with something like this:
<xsl:value-of select="php:function('opendir','/some/where/')"/>
<xsl:value-of select="php:function('readdir')"/>
<xsl:value-of select="php:function('readdir')"/>
<xsl:value-of select="php:function('readdir')"/>
...
Edit: Apparently there is an undocumentet php:functionString()
that "will automatically convert output to a string", according to a comment on php.net. Not sure if it helps, but worth a try.