some security for API #944

GetSimpleCMS · Oct 30, 2014 · 4c44b94 · 4c44b94
1 parent 06df471
commit 4c44b94
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/admin/api.php b/admin/api.php
@@ -12,6 +12,12 @@
 	if (empty($_POST)) exit;
 	if (!defined('GSEXTAPI')) exit;
 
+	// disable libxml error output
+	libxml_use_internal_errors();
+
+	// disable entity loading to avoid xxe
+	libxml_disable_entity_loader();
+
 	#step 1 - check post for data
 	if (!isset($_POST['data'])) {
 		$message = array('status' => 'error', 'message' => i18n_r('API_ERR_MISSINGPARAM'));
@@ -36,8 +42,6 @@
 	$method = (string)$in->method;
 	echo call_user_func(array($request, $method), '');
 
-
-
 exit;
 
 /*