Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

fixed XML decoding attack vector through external entities

  • Loading branch information...
commit 5c5040c890a8e4085dcd6fa3827f574ab5f71f4c 1 parent e2f9fee
@fabpot fabpot authored
Showing with 5 additions and 1 deletion.
  1. +5 −1 Loader/XmlFileLoader.php
View
6 Loader/XmlFileLoader.php
@@ -212,16 +212,20 @@ private function parseDefinition($id, $service, $file)
private function parseFile($file)
{
$internalErrors = libxml_use_internal_errors(true);
+ $disableEntities = libxml_disable_entity_loader(true);
libxml_clear_errors();
$dom = new \DOMDocument();
$dom->validateOnParse = true;
- if (!$dom->load($file, LIBXML_NONET | (defined('LIBXML_COMPACT') ? LIBXML_COMPACT : 0))) {
+ if (!$dom->loadXML(file_get_contents($file), LIBXML_NONET | (defined('LIBXML_COMPACT') ? LIBXML_COMPACT : 0))) {
+ libxml_disable_entity_loader($disableEntities);
+
throw new \InvalidArgumentException(implode("\n", $this->getXmlErrors($internalErrors)));
}
$dom->normalizeDocument();
libxml_use_internal_errors($internalErrors);
+ libxml_disable_entity_loader($disableEntities);
foreach ($dom->childNodes as $child) {
if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) {
Please sign in to comment.
Something went wrong with that request. Please try again.