Skip to content
Permalink
Browse files Browse the repository at this point in the history
Changed XML loading code to prevent XML external entity processing at…
…tacks
  • Loading branch information
kelvinmo committed Oct 24, 2015
1 parent 5b3654a commit 4c9f2e0
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 10 deletions.
4 changes: 4 additions & 0 deletions CHANGELOG.md
@@ -1,3 +1,7 @@
## 3.1.1

- Changed XML loading code to prevent XML external entity processing attacks

## 3.1

- Added [Travis CI](https://travis-ci.org/) configuration
Expand Down
20 changes: 10 additions & 10 deletions simplexrd/simplexrd.class.php
Expand Up @@ -68,7 +68,7 @@ class SimpleXRD {
* @var resource
*/
private $reader;

/**
* XML namespace constant
* @var string
Expand All @@ -80,7 +80,7 @@ class SimpleXRD {
* @var array
*/
private $jrd = array();

/**
* Creates an instance of the XRD parser.
*
Expand All @@ -89,7 +89,7 @@ class SimpleXRD {
public function __construct() {
$this->reader = new XMLReader();
}

/**
* Frees memory associated with the underlying XML parser.
*
Expand All @@ -107,9 +107,9 @@ public function close() {
* @param string $xml the XML document to load
*/
public function load($xml) {
$this->reader->xml($xml);
$this->reader->xml($xml, null, LIBXML_NONET);
}

/**
* Parses the loaded XRD document and returns the JRD-equivalent structure.
*
Expand All @@ -122,12 +122,12 @@ public function load($xml) {
* @return array the JRD equivalent structure
*/
public function parse($include_expires = false) {
while ($this->reader->read()) {
if (($this->reader->nodeType == XMLReader::ELEMENT)
while ($this->reader->read()) {
if (($this->reader->nodeType == XMLReader::ELEMENT)
&& ($this->reader->namespaceURI == self::XRD_NS)) {
switch ($this->reader->localName) {
case 'XRD':
$this->jrd = array();
$this->jrd = array();
break;
case 'Expires':
if ($include_expires) $this->jrd['expires'] = $this->reader->readString();
Expand All @@ -148,7 +148,7 @@ public function parse($include_expires = false) {
$this->parseProperty($this->jrd['properties']);
break;
}

}
}
return $this->jrd;
Expand Down Expand Up @@ -177,7 +177,7 @@ private function parseLink() {
($this->reader->localName == 'Link'))
break;

if (($this->reader->nodeType == XMLReader::ELEMENT)
if (($this->reader->nodeType == XMLReader::ELEMENT)
&& ($this->reader->namespaceURI == self::XRD_NS)) {
switch ($this->reader->localName) {
case 'Property':
Expand Down

0 comments on commit 4c9f2e0

Please sign in to comment.