Skip to content
This repository has been archived by the owner on Jan 8, 2020. It is now read-only.

Commit

Permalink
Disable XXE on WDDX serializer.
Browse files Browse the repository at this point in the history
  • Loading branch information
@padraic
padraic committed Aug 1, 2012
1 parent 7c51444 commit 8447f03
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions library/Zend/Serializer/Adapter/Wddx.php
View file
Expand Up @@ -114,7 +114,9 @@ public function unserialize($wddx)
// check if the returned NULL is valid // check if the returned NULL is valid
// or based on an invalid wddx string // or based on an invalid wddx string
try { try {
libxml_disable_entity_loader(true);
$simpleXml = new \SimpleXMLElement($wddx); $simpleXml = new \SimpleXMLElement($wddx);
libxml_disable_entity_loader(false);
if (isset($simpleXml->data[0]->null[0])) { if (isset($simpleXml->data[0]->null[0])) {
return null; // valid null return null; // valid null
} }
Expand Down

0 comments on commit 8447f03

Please sign in to comment.