From eecdec4d5b523a21f51d66aba448ad6c43cc760c Mon Sep 17 00:00:00 2001
From: Frederic Massart <fred@moodle.com>
Date: Mon, 11 Feb 2013 15:20:11 +0800
Subject: [PATCH] MDL-34284 library: Import ZF2012-01 security patch for Zend

---
 lib/zend/Zend/XmlRpc/Request.php | 7 +++++++
 lib/zend/readme_moodle.txt       | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/zend/Zend/XmlRpc/Request.php b/lib/zend/Zend/XmlRpc/Request.php
index 5a05073fca285..2a11a3ac0627b 100644
--- a/lib/zend/Zend/XmlRpc/Request.php
+++ b/lib/zend/Zend/XmlRpc/Request.php
@@ -303,12 +303,15 @@ public function loadXml($request)
             return false;
         }
 
+        // @see ZF-12293 - disable external entities for security purposes
+        $loadEntities = libxml_disable_entity_loader(true);
         try {
             $xml = new SimpleXMLElement($request);
         } catch (Exception $e) {
             // Not valid XML
             $this->_fault = new Zend_XmlRpc_Fault(631);
             $this->_fault->setEncoding($this->getEncoding());
+            libxml_disable_entity_loader($loadEntities);
             return false;
         }
 
@@ -317,6 +320,7 @@ public function loadXml($request)
             // Missing method name
             $this->_fault = new Zend_XmlRpc_Fault(632);
             $this->_fault->setEncoding($this->getEncoding());
+            libxml_disable_entity_loader($loadEntities);
             return false;
         }
 
@@ -330,6 +334,7 @@ public function loadXml($request)
                 if (!isset($param->value)) {
                     $this->_fault = new Zend_XmlRpc_Fault(633);
                     $this->_fault->setEncoding($this->getEncoding());
+                    libxml_disable_entity_loader($loadEntities);
                     return false;
                 }
 
@@ -340,6 +345,7 @@ public function loadXml($request)
                 } catch (Exception $e) {
                     $this->_fault = new Zend_XmlRpc_Fault(636);
                     $this->_fault->setEncoding($this->getEncoding());
+                    libxml_disable_entity_loader($loadEntities);
                     return false;
                 }
             }
@@ -348,6 +354,7 @@ public function loadXml($request)
             $this->_params = $argv;
         }
 
+        libxml_disable_entity_loader($loadEntities);
         $this->_xml = $request;
 
         return true;
diff --git a/lib/zend/readme_moodle.txt b/lib/zend/readme_moodle.txt
index ef52efc6c57fc..1df8e7647af3f 100644
--- a/lib/zend/readme_moodle.txt
+++ b/lib/zend/readme_moodle.txt
@@ -9,4 +9,4 @@ Changes:
 * small fix to error reporting in reflection (MDL-21460, ZF-8980)
 * SOAP and XMLRPC servers overwrite the fault() functions
 * synced and renamed file to version in ZF 1.10.6 (MDL-30603, ZF-11080)
-
+* import security patch (MDL-34284, ZF2012-01, ZF-12293)