Permalink
Browse files

Disable XXE on WDDX serializer.

  • Loading branch information...
1 parent 7c51444 commit 8447f03984d529b84782f5696453a2da877dfb37 @padraic padraic committed Aug 1, 2012
Showing with 2 additions and 0 deletions.
  1. +2 −0 library/Zend/Serializer/Adapter/Wddx.php
@@ -114,7 +114,9 @@ public function unserialize($wddx)
// check if the returned NULL is valid
// or based on an invalid wddx string
try {
+ libxml_disable_entity_loader(true);
$simpleXml = new \SimpleXMLElement($wddx);
+ libxml_disable_entity_loader(false);
if (isset($simpleXml->data[0]->null[0])) {
return null; // valid null
}

0 comments on commit 8447f03

Please sign in to comment.