Permalink
Browse files

MDL-34284 library: Import ZF2012-01 security patch for Zend

  • Loading branch information...
1 parent c2cef58 commit 55b330e6d80209e235e7cf567db9b190e9d5ea19 @FMCorz FMCorz committed with damyon Feb 11, 2013
Showing with 8 additions and 1 deletion.
  1. +7 −0 lib/zend/Zend/XmlRpc/Request.php
  2. +1 −1 lib/zend/readme_moodle.txt
@@ -303,12 +303,15 @@ public function loadXml($request)
return false;
}
+ // @see ZF-12293 - disable external entities for security purposes
+ $loadEntities = libxml_disable_entity_loader(true);
try {
$xml = new SimpleXMLElement($request);
} catch (Exception $e) {
// Not valid XML
$this->_fault = new Zend_XmlRpc_Fault(631);
$this->_fault->setEncoding($this->getEncoding());
+ libxml_disable_entity_loader($loadEntities);
return false;
}
@@ -317,6 +320,7 @@ public function loadXml($request)
// Missing method name
$this->_fault = new Zend_XmlRpc_Fault(632);
$this->_fault->setEncoding($this->getEncoding());
+ libxml_disable_entity_loader($loadEntities);
return false;
}
@@ -330,6 +334,7 @@ public function loadXml($request)
if (!isset($param->value)) {
$this->_fault = new Zend_XmlRpc_Fault(633);
$this->_fault->setEncoding($this->getEncoding());
+ libxml_disable_entity_loader($loadEntities);
return false;
}
@@ -340,6 +345,7 @@ public function loadXml($request)
} catch (Exception $e) {
$this->_fault = new Zend_XmlRpc_Fault(636);
$this->_fault->setEncoding($this->getEncoding());
+ libxml_disable_entity_loader($loadEntities);
return false;
}
}
@@ -348,6 +354,7 @@ public function loadXml($request)
$this->_params = $argv;
}
+ libxml_disable_entity_loader($loadEntities);
$this->_xml = $request;
return true;
@@ -9,4 +9,4 @@ Changes:
* small fix to error reporting in reflection (MDL-21460, ZF-8980)
* SOAP and XMLRPC servers overwrite the fault() functions
* synced and renamed file to version in ZF 1.10.6 (MDL-30603, ZF-11080)
-
+* import security patch (MDL-34284, ZF2012-01, ZF-12293)

0 comments on commit 55b330e

Please sign in to comment.