Permalink
Browse files

close potential XXE security issue (CVE-2014-2053)

  • Loading branch information...
1 parent e174958 commit dc8549079a24bb0619b6124ef2df767704f8d0bc @JamesHeinrich committed Mar 12, 2014
Showing with 8 additions and 0 deletions.
  1. +4 −0 changelog.txt
  2. +4 −0 getid3/getid3.lib.php
View
@@ -21,6 +21,10 @@ Version History
1.10.0: [2014-??-??] James Heinrich
» Add support for AMR (Adaptive Multi-Rate audio codec)
new file: module.audio.amr.php
+ * Bugfix: (#1813) avoid running out of memory when parsing large
+ Quicktime files
+ * Bugfix: (#1812) potential unwanted high-ASCII characters in errors
+ * Bugfix: close potential XXE security issue (CVE-2014-2053)
1.9.7: [2013-07-05] James Heinrich
* Bugfix: [module.audio-video.quicktime.php] track languages set
@@ -521,6 +521,10 @@ public static function array_min($arraydata, $returnkey=false) {
public static function XML2array($XMLstring) {
if (function_exists('simplexml_load_string')) {
if (function_exists('get_object_vars')) {
+ if (function_exists('libxml_disable_entity_loader')) { // (PHP 5 >= 5.2.11)
+ // http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html
+ libxml_disable_entity_loader(true);
+ }
$XMLobject = simplexml_load_string($XMLstring);
return self::SimpleXMLelement2array($XMLobject);
}

0 comments on commit dc85490

Please sign in to comment.