Accueil Explorer Aide
Connexion
boarspring
/
repo_zf1
miroir de https://github.com/bluescreen/zf1-php7.2.git
2
0
Fork 1
Fichiers Tickets 0 Wiki
Parcourir la source

[ZF-12293] Disable loading external XML entities

- Disables loading of external XML entities, thus preventing local file
  inclusion



git-svn-id: http://framework.zend.com/svn/framework/standard/branches/release-1.12@24973 44c647ce-9c0f-0410-b52a-842ac1e357ba
matthew il y a 13 ans
Parent
e8d470570b
commit
728636d103
4 fichiers modifiés avec 31 ajouts et 0 suppressions
Vue séparée Afficher les stats Diff
  1. 7 0
      library/Zend/XmlRpc/Request.php
  2. 15 0
      tests/Zend/XmlRpc/RequestTest.php
  3. 1 0
      tests/Zend/XmlRpc/_files/ZF12293-payload.txt
  4. 8 0
      tests/Zend/XmlRpc/_files/ZF12293-request.xml

+ 7 - 0
library/Zend/XmlRpc/Request.php
Voir le fichier 

@@ -303,12 +303,15 @@ class Zend_XmlRpc_Request
 
             return false;
 
         }
 
 
+        // @see ZF-12293 - disable external entities for security purposes
 
+        $loadEntities = libxml_disable_entity_loader(true);
 
         try {
 
             $xml = new SimpleXMLElement($request);
 
         } catch (Exception $e) {
 
             // Not valid XML
 
             $this->_fault = new Zend_XmlRpc_Fault(631);
 
             $this->_fault->setEncoding($this->getEncoding());
 
+            libxml_disable_entity_loader($loadEntities);
 
             return false;
 
         }
 
 
@@ -317,6 +320,7 @@ class Zend_XmlRpc_Request
 
             // Missing method name
 
             $this->_fault = new Zend_XmlRpc_Fault(632);
 
             $this->_fault->setEncoding($this->getEncoding());
 
+            libxml_disable_entity_loader($loadEntities);
 
             return false;
 
         }
 
 
@@ -330,6 +334,7 @@ class Zend_XmlRpc_Request
 
                 if (!isset($param->value)) {
 
                     $this->_fault = new Zend_XmlRpc_Fault(633);
 
                     $this->_fault->setEncoding($this->getEncoding());
 
+                    libxml_disable_entity_loader($loadEntities);
 
                     return false;
 
                 }
 
 
@@ -340,6 +345,7 @@ class Zend_XmlRpc_Request
 
                 } catch (Exception $e) {
 
                     $this->_fault = new Zend_XmlRpc_Fault(636);
 
                     $this->_fault->setEncoding($this->getEncoding());
 
+                    libxml_disable_entity_loader($loadEntities);
 
                     return false;
 
                 }
 
             }
 
@@ -348,6 +354,7 @@ class Zend_XmlRpc_Request
 
             $this->_params = $argv;
 
         }
 
 
+        libxml_disable_entity_loader($loadEntities);
 
         $this->_xml = $request;
 
 
         return true;

+ 15 - 0
tests/Zend/XmlRpc/RequestTest.php
Voir le fichier 

@@ -349,4 +349,19 @@ class Zend_XmlRpc_RequestTest extends PHPUnit_Framework_TestCase
 
         $this->assertEquals('ISO-8859-1', $this->_request->getEncoding());
 
         $this->assertEquals('ISO-8859-1', Zend_XmlRpc_Value::getGenerator()->getEncoding());
 
     }
 
+
 
+    /**
 
+     * @group ZF-12293
 
+     */
 
+    public function testDoesNotAllowExternalEntities()
 
+    {
 
+        $payload = file_get_contents(dirname(__FILE__) . '/_files/ZF12293-request.xml');
 
+        $payload = sprintf($payload, 'file://' . realpath(dirname(__FILE__) . '/_files/ZF12293-payload.txt'));
 
+        $this->_request->loadXml($payload);
 
+        $method = $this->_request->getMethod();
 
+        $this->assertTrue(empty($method));
 
+        if (is_string($method)) {
 
+            $this->assertNotContains('Local file inclusion', $method);
 
+        }
 
+    }
 
 }

+ 1 - 0
tests/Zend/XmlRpc/_files/ZF12293-payload.txt
Voir le fichier 

@@ -0,0 +1 @@
 
+Local file inclusion

+ 8 - 0
tests/Zend/XmlRpc/_files/ZF12293-request.xml
Voir le fichier 

@@ -0,0 +1,8 @@
 
+<?xml version="1.0"?>
 
+<!DOCTYPE foo [
 
+<!ELEMENT methodName ANY >
 
+<!ENTITY xxe SYSTEM "%s" >
 
+]>
 
+<methodCall>
 
+    <methodName>&xxe;</methodName>
 
+</methodCall>