Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

MDL-26660 libraries: Improved XML validation before parsing

  • Loading branch information...
commit 0b674ddb429e7fc7cf40ed4d9b997a5d268c0a29 1 parent 153f5eb
@FMCorz FMCorz authored danpoltawski committed
Showing with 28 additions and 8 deletions.
  1. +28 −8 lib/googleapi.php
View
36 lib/googleapi.php
@@ -81,11 +81,19 @@ public function get_file_list($search = '') {
if ($search) {
$url.='?q='.urlencode($search);
}
- $content = $this->googleoauth->get($url);
-
- $xml = new SimpleXMLElement($content);
$files = array();
+ $content = $this->googleoauth->get($url);
+ try {
+ if (strpos($content, '<?xml') !== 0) {
+ throw new moodle_exception('invalidxmlresponse');
+ }
+ $xml = new SimpleXMLElement($content);
+ } catch (Exception $e) {
+ // An error occured while trying to parse the XML, let's just return nothing. SimpleXML does not
+ // return a more specific Exception, that's why the global Exception class is caught here.
+ return $files;
+ }
foreach ($xml->entry as $gdoc) {
$docid = (string) $gdoc->children('http://schemas.google.com/g/2005')->resourceId;
list($type, $docid) = explode(':', $docid);
@@ -320,11 +328,17 @@ public function get_albums() {
$files = array();
$content = $this->googleoauth->get(self::LIST_ALBUMS_URL);
- if (empty($content)) {
+ try {
+ if (strpos($content, '<?xml') !== 0) {
+ throw new moodle_exception('invalidxmlresponse');
+ }
+ $xml = new SimpleXMLElement($content);
+ } catch (Exception $e) {
+ // An error occured while trying to parse the XML, let's just return nothing. SimpleXML does not
+ // return a more specific Exception, that's why the global Exception class is caught here.
return $files;
}
- $xml = new SimpleXMLElement($content);
foreach ($xml->entry as $album) {
$gphoto = $album->children('http://schemas.google.com/photos/2007');
@@ -355,11 +369,17 @@ public function get_albums() {
*/
public function get_photo_details($rawxml) {
$files = array();
- if (empty($rawxml)) {
+
+ try {
+ if (strpos($rawxml, '<?xml') !== 0) {
+ throw new moodle_exception('invalidxmlresponse');
+ }
+ $xml = new SimpleXMLElement($rawxml);
+ } catch (Exception $e) {
+ // An error occured while trying to parse the XML, let's just return nothing. SimpleXML does not
+ // return a more specific Exception, that's why the global Exception class is caught here.
return $files;
}
-
- $xml = new SimpleXMLElement($rawxml);
$this->lastalbumname = (string)$xml->title;
foreach ($xml->entry as $photo) {
Please sign in to comment.
Something went wrong with that request. Please try again.