Skip to content

Commit

Permalink
MDL-34284 library: Import ZF2012-01 security patch for Zend
Browse files Browse the repository at this point in the history
  • Loading branch information
Frederic Massart authored and Damyon Wiese committed Mar 5, 2013
1 parent 2e2bac9 commit dfe203c
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 1 deletion.
7 changes: 7 additions & 0 deletions lib/zend/Zend/XmlRpc/Request.php
View file
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -303,12 +303,15 @@ public function loadXml($request)
return false; return false;
} }


// @see ZF-12293 - disable external entities for security purposes
$loadEntities = libxml_disable_entity_loader(true);
try { try {
$xml = new SimpleXMLElement($request); $xml = new SimpleXMLElement($request);
} catch (Exception $e) { } catch (Exception $e) {
// Not valid XML // Not valid XML
$this->_fault = new Zend_XmlRpc_Fault(631); $this->_fault = new Zend_XmlRpc_Fault(631);
$this->_fault->setEncoding($this->getEncoding()); $this->_fault->setEncoding($this->getEncoding());
libxml_disable_entity_loader($loadEntities);
return false; return false;
} }


Expand All @@ -317,6 +320,7 @@ public function loadXml($request)
// Missing method name // Missing method name
$this->_fault = new Zend_XmlRpc_Fault(632); $this->_fault = new Zend_XmlRpc_Fault(632);
$this->_fault->setEncoding($this->getEncoding()); $this->_fault->setEncoding($this->getEncoding());
libxml_disable_entity_loader($loadEntities);
return false; return false;
} }


Expand All @@ -330,6 +334,7 @@ public function loadXml($request)
if (!isset($param->value)) { if (!isset($param->value)) {
$this->_fault = new Zend_XmlRpc_Fault(633); $this->_fault = new Zend_XmlRpc_Fault(633);
$this->_fault->setEncoding($this->getEncoding()); $this->_fault->setEncoding($this->getEncoding());
libxml_disable_entity_loader($loadEntities);
return false; return false;
} }


Expand All @@ -340,6 +345,7 @@ public function loadXml($request)
} catch (Exception $e) { } catch (Exception $e) {
$this->_fault = new Zend_XmlRpc_Fault(636); $this->_fault = new Zend_XmlRpc_Fault(636);
$this->_fault->setEncoding($this->getEncoding()); $this->_fault->setEncoding($this->getEncoding());
libxml_disable_entity_loader($loadEntities);
return false; return false;
} }
} }
Expand All @@ -348,6 +354,7 @@ public function loadXml($request)
$this->_params = $argv; $this->_params = $argv;
} }


libxml_disable_entity_loader($loadEntities);
$this->_xml = $request; $this->_xml = $request;


return true; return true;
Expand Down
2 changes: 1 addition & 1 deletion lib/zend/readme_moodle.txt
View file
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -9,4 +9,4 @@ Changes:
* small fix to error reporting in reflection (MDL-21460, ZF-8980) * small fix to error reporting in reflection (MDL-21460, ZF-8980)
* SOAP and XMLRPC servers overwrite the fault() functions * SOAP and XMLRPC servers overwrite the fault() functions
* synced and renamed file to version in ZF 1.10.6 (MDL-30603, ZF-11080) * synced and renamed file to version in ZF 1.10.6 (MDL-30603, ZF-11080)

* import security patch (MDL-34284, ZF2012-01, ZF-12293)

0 comments on commit dfe203c

Please sign in to comment.