From 8e0678e85ef925095446909b33abd253b0a6f9c6 Mon Sep 17 00:00:00 2001
From: Marco Ceppi <marco@ceppi.net>
Date: Thu, 23 Jan 2014 06:17:01 -0500
Subject: [PATCH 1/2] Clean up

---
 Auth/Yadis/XML.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/Auth/Yadis/XML.php b/Auth/Yadis/XML.php
index 39a99422..0f8aaeca 100644
--- a/Auth/Yadis/XML.php
+++ b/Auth/Yadis/XML.php
@@ -343,11 +343,11 @@ function Auth_Yadis_getSupportedExtensions()
 function Auth_Yadis_getXMLParser()
 {
     global $__Auth_Yadis_defaultParser;
-    
+
     if (isset($__Auth_Yadis_defaultParser)) {
         return $__Auth_Yadis_defaultParser;
     }
-    
+
     foreach(Auth_Yadis_getSupportedExtensions() as $extension => $classname)
     {
       if (extension_loaded($extension))
@@ -357,7 +357,7 @@ function Auth_Yadis_getXMLParser()
         return $p;
       }
     }
-    
+
     return false;
 }
 

From f97f69afcc6b07ab718618e6041d23c1a2e889a5 Mon Sep 17 00:00:00 2001
From: Marco Ceppi <marco@ceppi.net>
Date: Thu, 23 Jan 2014 06:17:28 -0500
Subject: [PATCH 2/2] Reject OpenID XML responses with a doctype CVE-2012-4554

---
 Auth/Yadis/XML.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/Auth/Yadis/XML.php b/Auth/Yadis/XML.php
index 0f8aaeca..2b8a20eb 100644
--- a/Auth/Yadis/XML.php
+++ b/Auth/Yadis/XML.php
@@ -250,6 +250,10 @@ function setXML($xml_string)
             return false;
         }
 
+        if (isset($this->doc->doctype)) {
+            return false;
+        }
+
         $this->xpath = new DOMXPath($this->doc);
 
         if ($this->xpath) {