Permalink
Browse files

Merge branch '2.0'

* 2.0:
  updated VERSION for 2.0.17
  updated CHANGELOG for 2.0.17
  updated vendors for 2.0.17
  fixed XML decoding attack vector through external entities
  prevents injection of malicious doc types
  disabled network access when loading XML documents
  refined previous commit
  prevents injection of malicious doc types
  standardized the way we handle XML errors
  Redirects are now absolute

Conflicts:
	CHANGELOG-2.0.md
	src/Symfony/Component/DependencyInjection/Loader/XmlFileLoader.php
	src/Symfony/Component/DomCrawler/Crawler.php
	src/Symfony/Component/HttpKernel/Kernel.php
	tests/Symfony/Tests/Component/DependencyInjection/Loader/XmlFileLoaderTest.php
	tests/Symfony/Tests/Component/Routing/Loader/XmlFileLoaderTest.php
	tests/Symfony/Tests/Component/Serializer/Encoder/XmlEncoderTest.php
	tests/Symfony/Tests/Component/Translation/Loader/XliffFileLoaderTest.php
	tests/Symfony/Tests/Component/Validator/Mapping/Loader/XmlFileLoaderTest.php
	vendors.php
  • Loading branch information...
2 parents f70f7d8 + c68f058 commit 4a2af1b8f83341b637e47a66c6b6798730038edc @fabpot fabpot committed Aug 28, 2012
Showing with 11 additions and 3 deletions.
  1. +11 −3 Crawler.php
View
@@ -126,16 +126,20 @@ public function addContent($content, $type = null)
*/
public function addHtmlContent($content, $charset = 'UTF-8')
{
+ $current = libxml_use_internal_errors(true);
+ $disableEntities = libxml_disable_entity_loader(true);
+
$dom = new \DOMDocument('1.0', $charset);
$dom->validateOnParse = true;
if (function_exists('mb_convert_encoding')) {
$content = mb_convert_encoding($content, 'HTML-ENTITIES', $charset);
}
- $current = libxml_use_internal_errors(true);
@$dom->loadHTML($content);
+
libxml_use_internal_errors($current);
+ libxml_disable_entity_loader($disableEntities);
$this->addDocument($dom);
@@ -163,13 +167,17 @@ public function addHtmlContent($content, $charset = 'UTF-8')
*/
public function addXmlContent($content, $charset = 'UTF-8')
{
+ $current = libxml_use_internal_errors(true);
+ $disableEntities = libxml_disable_entity_loader(true);
+
$dom = new \DOMDocument('1.0', $charset);
$dom->validateOnParse = true;
// remove the default namespace to make XPath expressions simpler
- $current = libxml_use_internal_errors(true);
- @$dom->loadXML(str_replace('xmlns', 'ns', $content));
+ @$dom->loadXML(str_replace('xmlns', 'ns', $content), LIBXML_NONET);
+
libxml_use_internal_errors($current);
+ libxml_disable_entity_loader($disableEntities);
$this->addDocument($dom);
}

0 comments on commit 4a2af1b

Please sign in to comment.