diff --git a/Makefile.PL b/Makefile.PL index 89ab55d..ea7c9fa 100644 --- a/Makefile.PL +++ b/Makefile.PL @@ -2,7 +2,7 @@ use inc::Module::Install; name 'RPC-XML-Parser-LibXML'; all_from 'lib/RPC/XML/Parser/LibXML.pm'; -requires 'XML::LibXML'; +requires 'XML::LibXML' => 1.70; requires 'RPC::XML' => 0.73; requires 'Carp'; requires 'Encode'; diff --git a/lib/RPC/XML/Parser/LibXML.pm b/lib/RPC/XML/Parser/LibXML.pm index 83c66f0..6dd5be7 100644 --- a/lib/RPC/XML/Parser/LibXML.pm +++ b/lib/RPC/XML/Parser/LibXML.pm @@ -25,7 +25,13 @@ my $value_xpath = join "|", map "./$_", qw( int i4 boolean string double dateTim sub parse_rpc_xml { my $xml = shift; - my $x = XML::LibXML->new; + my $x = XML::LibXML->new({ + no_network => 1, + expand_xinclude => 0, + expand_entities => 1, + load_ext_dtd => 0, + ext_ent_handler => sub { warn "External entities disabled."; '' }, + }); my $doc = $x->parse_string($xml)->documentElement; if ($doc->findnodes('/methodCall')) { diff --git a/t/RPC-XML-Parser-LibXML.t b/t/RPC-XML-Parser-LibXML.t index 0b72ef6..61ea201 100644 --- a/t/RPC-XML-Parser-LibXML.t +++ b/t/RPC-XML-Parser-LibXML.t @@ -5,7 +5,7 @@ # change 'tests => 1' to 'tests => last_test_to_print'; -use Test::More tests => 28; +use Test::More tests => 30; BEGIN { use_ok('RPC::XML::Parser::LibXML') }; use RPC::XML; @@ -436,3 +436,49 @@ XML is $r->{args}->[3]->{description}->value, 'desc'; is_deeply $r->{args}->[4], [ map RPC::XML::string->new($_), qw( foo bar ) ]; } + +## Don't allow external entities +{ + my $r = eval { RPC::XML::Parser::LibXML::parse_rpc_xml(< + +]> + + metaWeblog.newPost + + + entity:[&foo;] + + + **ACCOUNTNAME** + + + **PASSWORD** + + + + + titletest + descriptiondesc + + + + + + + + foo + $lt; + + + + + + +XML + }; + + ok !$@, "We didn't die..."; + is $r->{args}->[0]->value, 'entity:[]', "...but entities were ignored"; +}