From 8447f03984d529b84782f5696453a2da877dfb37 Mon Sep 17 00:00:00 2001
From: Padraic Brady <padraic.brady@gmail.com>
Date: Wed, 1 Aug 2012 20:52:49 +0100
Subject: [PATCH] Disable XXE on WDDX serializer.

---
 library/Zend/Serializer/Adapter/Wddx.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/library/Zend/Serializer/Adapter/Wddx.php b/library/Zend/Serializer/Adapter/Wddx.php
index 039865580ef..37f13fdfafa 100644
--- a/library/Zend/Serializer/Adapter/Wddx.php
+++ b/library/Zend/Serializer/Adapter/Wddx.php
@@ -114,7 +114,9 @@ public function unserialize($wddx)
             // check if the returned NULL is valid
             // or based on an invalid wddx string
             try {
+                libxml_disable_entity_loader(true);
                 $simpleXml = new \SimpleXMLElement($wddx);
+                libxml_disable_entity_loader(false);
                 if (isset($simpleXml->data[0]->null[0])) {
                     return null; // valid null
                 }