Permalink
Browse files

disable external XML entities and libxml errors

thanks to Kousuke Ebihara for the report and patch.
  • Loading branch information...
1 parent ed87a67 commit 625c16bb28bb120d262b3f19f89c2c06cb9b0da9 @willnorris willnorris committed Aug 12, 2013
Showing with 8 additions and 1 deletion.
  1. +8 −1 Auth/Yadis/XML.php
View
@@ -234,7 +234,14 @@ function setXML($xml_string)
return false;
}
- if (!@$this->doc->loadXML($xml_string)) {
+ // disable external entities and libxml errors
+ $loader = libxml_disable_entity_loader(true);
+ $errors = libxml_use_internal_errors(true);
+ $parse_result = @$this->doc->loadXML($xml_string);
+ libxml_disable_entity_loader($loader);
+ libxml_use_internal_errors($errors);
+
+ if (!$parse_result) {
return false;
}

0 comments on commit 625c16b

Please sign in to comment.