Merge branch 'security/zf2014-01'

Resolves ZF2014-01 - XXE/XEE vulnerabilities
zendframework · Mar 5, 2014 · 1049b71 · 1049b71
2 parents 3183b61 + 1fafbc4
commit 1049b71
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 7 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1 +1,6 @@
-vendor/
+composer.lock
+composer.phar
+vendor
+.buildpath
+.project
+.settings/
diff --git a/composer.json b/composer.json
@@ -21,9 +21,10 @@
     ],
     "require": {
         "php": ">=5.3.3",
-        "zendframework/zend-http": ">=2.0.0",
-        "zendframework/zend-uri": ">=2.0.0",
-        "zendframework/zend-version": ">=2.0.0"
+        "zendframework/zend-http": "~2.0",
+        "zendframework/zend-uri": "~2.0",
+        "zendframework/zend-version": "~2.0",
+        "zendframework/zendxml": "~1.0-dev"
     },
     "extra": {
         "branch-alias": {

diff --git a/library/ZendService/Technorati/AbstractResultSet.php b/library/ZendService/Technorati/AbstractResultSet.php
@@ -14,6 +14,7 @@
 use DOMXPath;
 use OutOfBoundsException;
 use SeekableIterator;
+use ZendXml\Security as XmlSecurity;
 
 /**
  * This is the most essential result set.
@@ -270,7 +271,7 @@ public function __sleep()
     public function __wakeup()
     {
         $dom = new DOMDocument();
-        $dom->loadXml($this->xml);
+        $dom = XmlSecurity::scan($this->xml, $dom);
         $this->init($dom);
         $this->xml = null; // reset XML content
     }

diff --git a/tests/ZendService/Technorati/ResultSetTest.php b/tests/ZendService/Technorati/ResultSetTest.php
@@ -10,6 +10,7 @@
 
 namespace ZendServiceTest\Technorati;
 
+use ZendService\Technorati\SearchResultSet;
 /**
  * @category   Zend
  * @package    Zend_Service_Technorati
@@ -31,7 +32,7 @@ public function setUp()
     {
         $this->ref = new \ReflectionClass('ZendService\Technorati\AbstractResultSet');
         $this->dom = self::getTestFileContentAsDom('TestSearchResultSet.xml');
-        $this->object = new Technorati\SearchResultSet($this->dom);
+        $this->object = new SearchResultSet($this->dom);
         $this->objectRef = new \ReflectionObject($this->object);
     }
 

diff --git a/tests/ZendService/Technorati/ResultTest.php b/tests/ZendService/Technorati/ResultTest.php
@@ -10,6 +10,8 @@
 
 namespace ZendServiceTest\Technorati;
 
+use ZendService\Technorati\SearchResult;
+
 /**
  * @category   Zend
  * @package    Zend_Service_Technorati
@@ -27,7 +29,7 @@ public function setUp()
     {
         $this->ref = new \ReflectionClass('ZendService\Technorati\AbstractResult');
         $this->domElements = self::getTestFileElementsAsDom('TestSearchResultSet.xml');
-        $this->object = new Technorati\SearchResult($this->domElements->item(0));
+        $this->object = new SearchResult($this->domElements->item(0));
         $this->objectRef = new \ReflectionObject($this->object);
     }