Disable reading XML files and URLs when handling user data.

Allowing users to load arbitrary files/URLs with Xml is not desirable when handing user input.
cakephp · May 27, 2015 · 995d8d2 · 995d8d2
1 parent dddc504
commit 995d8d2
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 3 deletions.
diff --git a/lib/Cake/Controller/Component/RequestHandlerComponent.php b/lib/Cake/Controller/Component/RequestHandlerComponent.php
@@ -229,7 +229,7 @@ public function startup(Controller $controller) {
  */
 	public function convertXml($xml) {
 		try {
-			$xml = Xml::build($xml);
+			$xml = Xml::build($xml, ['readFile' => false]);
 			if (isset($xml->data)) {
 				return Xml::toArray($xml->data);
 			}

diff --git a/lib/Cake/Test/Case/Utility/XmlTest.php b/lib/Cake/Test/Case/Utility/XmlTest.php
@@ -167,6 +167,28 @@ public function testBuild() {
 		$this->assertNotRegExp('/encoding/', $obj->saveXML());
 	}
 
+/**
+ * Test that the readFile option disables local file parsing.
+ *
+ * @expectedException XmlException
+ * @return void
+ */
+	public function testBuildFromFileWhenDisabled() {
+		$xml = CAKE . 'Test' . DS . 'Fixture' . DS . 'sample.xml';
+		$obj = Xml::build($xml, ['readFile' => false]);
+	}
+
+/**
+ * Test that the readFile option disables local file parsing.
+ *
+ * @expectedException XmlException
+ * @return void
+ */
+	public function testBuildFromUrlWhenDisabled() {
+		$xml = 'http://www.google.com';
+		$obj = Xml::build($xml, ['readFile' => false]);
+	}
+
 /**
  * data provider function for testBuildInvalidData
  *

diff --git a/lib/Cake/Utility/Xml.php b/lib/Cake/Utility/Xml.php
@@ -77,6 +77,9 @@ class Xml {
  * - `return` Can be 'simplexml' to return object of SimpleXMLElement or 'domdocument' to return DOMDocument.
  * - `loadEntities` Defaults to false. Set to true to enable loading of `<!ENTITY` definitions. This
  *   is disabled by default for security reasons.
+ * - `readFile` Set to false to disable file reading. This is important to disable when
+ *   putting user data into Xml::build(). If enabled local & remote files will be read if they exist.
+ *   Defaults to true for backwards compatibility reasons.
  * - If using array as input, you can pass `options` from Xml::fromArray.
  *
  * @param string|array $input XML string, a path to a file, a URL or an array
@@ -91,16 +94,17 @@ public static function build($input, $options = array()) {
 		$defaults = array(
 			'return' => 'simplexml',
 			'loadEntities' => false,
+			'readFile' => true
 		);
 		$options += $defaults;
 
 		if (is_array($input) || is_object($input)) {
 			return self::fromArray((array)$input, $options);
 		} elseif (strpos($input, '<') !== false) {
 			return self::_loadXml($input, $options);
-		} elseif (file_exists($input)) {
+		} elseif ($options['readFile'] && file_exists($input)) {
 			return self::_loadXml(file_get_contents($input), $options);
-		} elseif (strpos($input, 'http://') === 0 || strpos($input, 'https://') === 0) {
+		} elseif ($options['readFile'] && strpos($input, 'http://') === 0 || strpos($input, 'https://') === 0) {
 			try {
 				$socket = new HttpSocket(array('request' => array('redirect' => 10)));
 				$response = $socket->get($input);