Merge branch '2.0'

* 2.0: updated VERSION for 2.0.17 updated CHANGELOG for 2.0.17 updated vendors for 2.0.17 fixed XML decoding attack vector through external entities prevents injection of malicious doc types disabled network access when loading XML documents refined previous commit prevents injection of malicious doc types standardized the way we handle XML errors Redirects are now absolute Conflicts: CHANGELOG-2.0.md src/Symfony/Component/DependencyInjection/Loader/XmlFileLoader.php src/Symfony/Component/DomCrawler/Crawler.php src/Symfony/Component/HttpKernel/Kernel.php tests/Symfony/Tests/Component/DependencyInjection/Loader/XmlFileLoaderTest.php tests/Symfony/Tests/Component/Routing/Loader/XmlFileLoaderTest.php tests/Symfony/Tests/Component/Serializer/Encoder/XmlEncoderTest.php tests/Symfony/Tests/Component/Translation/Loader/XliffFileLoaderTest.php tests/Symfony/Tests/Component/Validator/Mapping/Loader/XmlFileLoaderTest.php vendors.php
symfony · Aug 28, 2012 · 93998d3 · 93998d3
2 parents 5088ecb + 8760b89
commit 93998d3
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 7 deletions.
diff --git a/Encoder/XmlEncoder.php b/Encoder/XmlEncoder.php
@@ -58,10 +58,20 @@ public function decode($data, $format)
         $disableEntities = libxml_disable_entity_loader(true);
         libxml_clear_errors();
 
-        $xml = simplexml_load_string($data);
+        $dom = new \DOMDocument();
+        $dom->loadXML($data, LIBXML_NONET);
+
         libxml_use_internal_errors($internalErrors);
         libxml_disable_entity_loader($disableEntities);
 
+        foreach ($dom->childNodes as $child) {
+            if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) {
+                throw new UnexpectedValueException('Document types are not allowed.');
+            }
+        }
+
+        $xml = simplexml_import_dom($dom);
+
         if ($error = libxml_get_last_error()) {
             throw new UnexpectedValueException($error->message);
         }

diff --git a/Tests/Encoder/XmlEncoderTest.php b/Tests/Encoder/XmlEncoderTest.php
@@ -50,6 +50,15 @@ public function testSetRootNodeName()
         $this->assertEquals($expected, $this->encoder->encode($obj, 'xml'));
     }
 
+    /**
+     * @expectedException        UnexpectedValueException
+     * @expectedExceptionMessage Document types are not allowed.
+     */
+    public function testDocTypeIsNotAllowed()
+    {
+        $this->encoder->decode('<?xml version="1.0"?><!DOCTYPE foo><foo></foo>', 'foo');
+    }
+
     public function testAttributes()
     {
         $obj = new ScalarDummy;
@@ -242,20 +251,22 @@ public function testDecodeArray()
         $this->assertEquals($expected, $this->encoder->decode($source, 'xml'));
     }
 
-    /**
-     * @expectedException Symfony\Component\Serializer\Exception\UnexpectedValueException
-     */
     public function testPreventsComplexExternalEntities()
     {
         $oldCwd = getcwd();
         chdir(__DIR__);
 
         try {
-            $decoded = $this->encoder->decode('<?xml version="1.0"?><!DOCTYPE scan[<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=XmlEncoderTest.php">]><scan>&test;</scan>', 'xml');
+            $this->encoder->decode('<?xml version="1.0"?><!DOCTYPE scan[<!ENTITY test SYSTEM "php://filter/read=convert.base64-encode/resource=XmlEncoderTest.php">]><scan>&test;</scan>', 'xml');
             chdir($oldCwd);
-        } catch (UnexpectedValueException $e) {
+
+            $this->fail('No exception was thrown.');
+        } catch (\Exception $e) {
             chdir($oldCwd);
-            throw $e;
+
+            if (!$e instanceof UnexpectedValueException) {
+                $this->fail('Expected UnexpectedValueException');
+            }
         }
     }