Merge branch '2.0'

* 2.0: updated VERSION for 2.0.17 updated CHANGELOG for 2.0.17 updated vendors for 2.0.17 fixed XML decoding attack vector through external entities prevents injection of malicious doc types disabled network access when loading XML documents refined previous commit prevents injection of malicious doc types standardized the way we handle XML errors Redirects are now absolute Conflicts: CHANGELOG-2.0.md src/Symfony/Component/DependencyInjection/Loader/XmlFileLoader.php src/Symfony/Component/DomCrawler/Crawler.php src/Symfony/Component/HttpKernel/Kernel.php tests/Symfony/Tests/Component/DependencyInjection/Loader/XmlFileLoaderTest.php tests/Symfony/Tests/Component/Routing/Loader/XmlFileLoaderTest.php tests/Symfony/Tests/Component/Serializer/Encoder/XmlEncoderTest.php tests/Symfony/Tests/Component/Translation/Loader/XliffFileLoaderTest.php tests/Symfony/Tests/Component/Validator/Mapping/Loader/XmlFileLoaderTest.php vendors.php
symfony · Aug 28, 2012 · bc926ae · bc926ae
2 parents f86274c + b5a30be
commit bc926ae
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 8 deletions.
diff --git a/Mapping/Loader/XmlFileLoader.php b/Mapping/Loader/XmlFileLoader.php
@@ -184,22 +184,38 @@ protected function parseOptions(\SimpleXMLElement $nodes)
      */
     protected function parseFile($file)
     {
+        $internalErrors = libxml_use_internal_errors(true);
+        $disableEntities = libxml_disable_entity_loader(true);
+        libxml_clear_errors();
+
         $dom = new \DOMDocument();
-        libxml_use_internal_errors(true);
-        if (!$dom->load($file, defined('LIBXML_COMPACT') ? LIBXML_COMPACT : 0)) {
-            throw new MappingException(implode("\n", $this->getXmlErrors()));
+        $dom->validateOnParse = true;
+        if (!$dom->loadXML(file_get_contents($file), LIBXML_NONET | (defined('LIBXML_COMPACT') ? LIBXML_COMPACT : 0))) {
+            libxml_disable_entity_loader($disableEntities);
+
+            throw new MappingException(implode("\n", $this->getXmlErrors($internalErrors)));
         }
+
+        libxml_disable_entity_loader($disableEntities);
+
         if (!$dom->schemaValidate(__DIR__.'/schema/dic/constraint-mapping/constraint-mapping-1.0.xsd')) {
-            throw new MappingException(implode("\n", $this->getXmlErrors()));
+            throw new MappingException(implode("\n", $this->getXmlErrors($internalErrors)));
         }
-        $dom->validateOnParse = true;
+
         $dom->normalizeDocument();
-        libxml_use_internal_errors(false);
+
+        libxml_use_internal_errors($internalErrors);
+
+        foreach ($dom->childNodes as $child) {
+            if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) {
+                throw new MappingException('Document types are not allowed.');
+            }
+        }
 
         return simplexml_import_dom($dom);
     }
 
-    protected function getXmlErrors()
+    protected function getXmlErrors($internalErrors)
     {
         $errors = array();
         foreach (libxml_get_errors() as $error) {
@@ -214,7 +230,7 @@ protected function getXmlErrors()
         }
 
         libxml_clear_errors();
-        libxml_use_internal_errors(false);
+        libxml_use_internal_errors($internalErrors);
 
         return $errors;
     }

diff --git a/Tests/Mapping/Loader/XmlFileLoaderTest.php b/Tests/Mapping/Loader/XmlFileLoaderTest.php
@@ -80,4 +80,16 @@ public function testLoadGroupSequenceProvider()
 
         $this->assertEquals($expected, $metadata);
     }
+
+    /**
+     * @expectedException        Symfony\Component\Validator\Exception\MappingException
+     * @expectedExceptionMessage Document types are not allowed.
+     */
+    public function testDocTypeIsNotAllowed()
+    {
+        $loader = new XmlFileLoader(__DIR__.'/withdoctype.xml');
+        $metadata = new ClassMetadata('Symfony\Component\Validator\Tests\Fixtures\Entity');
+
+        $loader->loadClassMetadata($metadata);
+    }
 }
diff --git a/Tests/Mapping/Loader/withdoctype.xml b/Tests/Mapping/Loader/withdoctype.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0"?>
+<!DOCTYPE foo>
+<constraint-mapping xmlns="http://symfony.com/schema/dic/constraint-mapping"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://symfony.com/schema/dic/constraint-mapping http://symfony.com/schema/dic/services/constraint-mapping-1.0.xsd">
+  <class name="Symfony\Tests\Component\Validator\Fixtures\Entity" />
+</constraint-mapping>