Permalink
Browse files

Merge branch 'security/zf2014-01'

Resolves ZF2014-01 - XXE/XEE vulnerabilities
  • Loading branch information...
2 parents 16b6c1e + fbeba98 commit ee5a273114aa5f52da965aaeba38d52792295ec4 @weierophinney weierophinney committed Mar 6, 2014
View
@@ -9,7 +9,8 @@
"homepage": "http://framework.zend.com/",
"license": "BSD-3-Clause",
"require": {
- "php": ">=5.3.3"
+ "php": ">=5.3.3",
+ "zendframework/zendxml": "~1.0-dev"
},
"require-dev": {
"doctrine/annotations": ">=1.0",
@@ -12,6 +12,7 @@
use SimpleXMLElement;
use Zend\Json\Exception\RecursionException;
use Zend\Json\Exception\RuntimeException;
+use ZendXml\Security as XmlSecurity;
/**
* Class for encoding to and decoding from JSON.
@@ -311,10 +312,10 @@ protected static function _processXml($simpleXmlElementObject, $ignoreXmlAttribu
public static function fromXml($xmlStringContents, $ignoreXmlAttributes = true)
{
// Load the XML formatted string into a Simple XML Element object.
- $simpleXmlElementObject = simplexml_load_string($xmlStringContents);
+ $simpleXmlElementObject = XmlSecurity::scan($xmlStringContents);
// If it is not a valid XML content, throw an exception.
- if ($simpleXmlElementObject == null) {
+ if (!$simpleXmlElementObject) {
throw new RuntimeException('Function fromXml was called with an invalid XML formatted string.');
} // End of if ($simpleXmlElementObject == null)
@@ -89,6 +89,7 @@ public function setOptions($options)
case self::AUTOREGISTER_ZF:
if ($pairs) {
$this->registerNamespace('Zend', dirname(__DIR__));
+ $this->registerNamespace('ZendXml', dirname(dirname((__DIR__))) . '/ZendXml');
}
break;
case self::LOAD_NS:
@@ -10,6 +10,7 @@
namespace Zend\XmlRpc;
use SimpleXMLElement;
+use ZendXml\Security as XmlSecurity;
/**
* XMLRPC Faults
@@ -180,10 +181,10 @@ public function loadXml($fault)
$xmlErrorsFlag = libxml_use_internal_errors(true);
try {
- $xml = new SimpleXMLElement($fault);
- } catch (\Exception $e) {
- // Not valid XML
- throw new Exception\InvalidArgumentException('Failed to parse XML fault: ' . $e->getMessage(), 500, $e);
+ $xml = XmlSecurity::scan($fault);
+ } catch (\ZendXml\Exception\RuntimeException $e) {
+ // Unsecure XML
+ throw new Exception\RuntimeException('Failed to parse XML fault: ' . $e->getMessage(), 500, $e);
}
if (!$xml instanceof SimpleXMLElement) {
$errors = libxml_get_errors();
@@ -9,6 +9,8 @@
namespace Zend\XmlRpc;
+use ZendXml\Security as XmlSecurity;
+
/**
* XmlRpc Response
*
@@ -151,28 +153,9 @@ public function loadXml($response)
return false;
}
- // @see ZF-12293 - disable external entities for security purposes
- $loadEntities = libxml_disable_entity_loader(true);
- $useInternalXmlErrors = libxml_use_internal_errors(true);
try {
- $dom = new \DOMDocument;
- $dom->loadXML($response);
- foreach ($dom->childNodes as $child) {
- if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) {
- throw new Exception\ValueException(
- 'Invalid XML: Detected use of illegal DOCTYPE'
- );
- }
- }
- // TODO: Locate why this passes tests but a simplexml import doesn't
- //$xml = simplexml_import_dom($dom);
- $xml = new \SimpleXMLElement($response);
- libxml_disable_entity_loader($loadEntities);
- libxml_use_internal_errors($useInternalXmlErrors);
- } catch (\Exception $e) {
- libxml_disable_entity_loader($loadEntities);
- libxml_use_internal_errors($useInternalXmlErrors);
- // Not valid XML
+ $xml = XmlSecurity::scan($response);
+ } catch (\ZendXml\Exception\RuntimeException $e) {
$this->fault = new Fault(651);
$this->fault->setEncoding($this->getEncoding());
return false;
@@ -186,7 +186,10 @@ public function testCanTellAutoloaderToRegisterZendNamespaceAtInstantiation()
$loader = new StandardAutoloader(array('autoregister_zf' => true));
$r = new ReflectionClass($loader);
$file = $r->getFileName();
- $expected = array('Zend\\' => dirname(dirname($file)) . DIRECTORY_SEPARATOR);
+ $expected = array(
+ 'Zend\\' => dirname(dirname($file)) . DIRECTORY_SEPARATOR,
+ 'ZendXml\\' => dirname(dirname(dirname($file))) . DIRECTORY_SEPARATOR . 'ZendXml' . DIRECTORY_SEPARATOR,
+ );
$this->assertAttributeEquals($expected, 'namespaces', $loader);
}
@@ -146,7 +146,7 @@ public function testLoadXml()
public function testLoadXmlThrowsExceptionOnInvalidInput()
{
- $this->setExpectedException('Zend\XmlRpc\Exception\InvalidArgumentException', 'Failed to parse XML fault: String could not be parsed as XML');
+ $this->setExpectedException('Zend\XmlRpc\Exception\InvalidArgumentException', 'Failed to parse XML fault');
$parsed = $this->_fault->loadXml('foo');
}

0 comments on commit ee5a273

Please sign in to comment.