This repository was archived by the owner on May 16, 2018. It is now read-only.
File tree 4 files changed +32
-5
lines changed 4 files changed +32
-5
lines changed Original file line number Diff line number Diff line change @@ -307,6 +307,7 @@ public function loadXml($request)
307307 $ loadEntitieslibxml_disable_entity_loader (true );
308308 try {
309309 $ xmlnew SimpleXMLElement ($ request
310+ libxml_disable_entity_loader ($ loadEntities
310311 } catch (Exception $ e
311312 // Not valid XML
312313 $ this _fault = new Zend_XmlRpc_Fault (631 );
@@ -320,7 +321,6 @@ public function loadXml($request)
320321 // Missing method name
321322 $ this _fault = new Zend_XmlRpc_Fault (632 );
322323 $ this _fault ->setEncoding ($ this getEncoding ());
323- libxml_disable_entity_loader ($ loadEntities
324324 return false ;
325325 }
326326
@@ -334,7 +334,6 @@ public function loadXml($request)
334334 if (!isset ($ paramvalue )) {
335335 $ this _fault = new Zend_XmlRpc_Fault (633 );
336336 $ this _fault ->setEncoding ($ this getEncoding ());
337- libxml_disable_entity_loader ($ loadEntities
338337 return false ;
339338 }
340339
@@ -345,7 +344,6 @@ public function loadXml($request)
345344 } catch (Exception $ e
346345 $ this _fault = new Zend_XmlRpc_Fault (636 );
347346 $ this _fault ->setEncoding ($ this getEncoding ());
348- libxml_disable_entity_loader ($ loadEntities
349347 return false ;
350348 }
351349 }
@@ -354,7 +352,6 @@ public function loadXml($request)
354352 $ this _params = $ argv
355353 }
356354
357- libxml_disable_entity_loader ($ loadEntities
358355 $ this _xml = $ request
359356
360357 return true ;
Original file line number Diff line number Diff line change @@ -176,11 +176,15 @@ public function loadXml($response)
176176 return false ;
177177 }
178178
179+ // @see ZF-12293 - disable external entities for security purposes
180+ $ loadEntitieslibxml_disable_entity_loader (true );
181+ $ useInternalXmlErrorslibxml_use_internal_errors (true );
179182 try {
180- $ useInternalXmlErrorslibxml_use_internal_errors (true );
181183 $ xmlnew SimpleXMLElement ($ response
184+ libxml_disable_entity_loader ($ loadEntities
182185 libxml_use_internal_errors ($ useInternalXmlErrors
183186 } catch (Exception $ e
187+ libxml_disable_entity_loader ($ loadEntities
184188 libxml_use_internal_errors ($ useInternalXmlErrors
185189 // Not valid XML
186190 $ this _fault = new Zend_XmlRpc_Fault (651 );
@@ -205,6 +209,7 @@ public function loadXml($response)
205209
206210 try {
207211 if (!isset ($ xmlparams ) || !isset ($ xmlparams ->param ) || !isset ($ xmlparams ->param ->value )) {
212+ require_once 'Zend/XmlRpc/Value/Exception.php ' ;
208213 throw new Zend_XmlRpc_Value_Exception ('Missing XML-RPC value in XML ' );
209214 }
210215 $ valueXml$ xmlparams ->param ->value ->asXML ();
Original file line number Diff line number Diff line change @@ -252,4 +252,19 @@ public function trackError($error)
252252 {
253253 $ this _errorOccured = true ;
254254 }
255+
256+ /**
257+ * @group ZF-12293
258+ */
259+ public function testDoesNotAllowExternalEntities ()
260+ {
261+ $ payloadfile_get_contents (dirname (__FILE__ ) . '/_files/ZF12293-response.xml ' );
262+ $ payloadsprintf ($ payload'file:// ' . realpath (dirname (__FILE__ ) . '/_files/ZF12293-payload.txt ' ));
263+ $ this _response ->loadXml ($ payload
264+ $ value$ this _response ->getReturnValue ();
265+ $ this assertTrue (empty ($ value
266+ if (is_string ($ value
267+ $ this assertNotContains ('Local file inclusion ' , $ value
268+ }
269+ }
255270}
Original file line number Diff line number Diff line change 1+ <?xml version =" 1.0"
2+ <!DOCTYPE foo [
3+ <!ELEMENT methodResponse ANY >
4+ <!ENTITY xxe SYSTEM " %s"
5+ ]>
6+ <methodResponse >
7+ <params >
8+ <param ><value ><string >&xxe; </string ></value ></param >
9+ </params >
10+ </methodResponse >
You can’t perform that action at this time.
0 commit comments