disable external XML entities and libxml errors

thanks to Kousuke Ebihara for the report and patch.
openid · Aug 12, 2013 · 625c16b · 625c16b
1 parent ed87a67
commit 625c16b
Showing 1 changed file with 8 additions and 1 deletion.
diff --git a/Auth/Yadis/XML.php b/Auth/Yadis/XML.php
@@ -234,7 +234,14 @@ function setXML($xml_string)
             return false;
         }
 
-        if (!@$this->doc->loadXML($xml_string)) {
+        // disable external entities and libxml errors
+        $loader = libxml_disable_entity_loader(true);
+        $errors = libxml_use_internal_errors(true);
+        $parse_result = @$this->doc->loadXML($xml_string);
+        libxml_disable_entity_loader($loader);
+        libxml_use_internal_errors($errors);
+
+        if (!$parse_result) {
             return false;
         }