This repository has been archived by the owner on May 16, 2018. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 790
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[ZF-12486] Fix XXE vulnerability in legacy Zend_Feed classes
Merges r25158 from trunk. - Fixes an XXE vulnerability in Zend_Feed_Abstract whereby feeds imported by URI could load external XML entities. git-svn-id: http://framework.zend.com/svn/framework/standard/branches/release-1.12@25160 44c647ce-9c0f-0410-b52a-842ac1e357ba
- Loading branch information
matthew
committed
Dec 18, 2012
1 parent
a95e294
commit 15c8491
Showing
13 changed files
with
268 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
<?php | ||
/** | ||
* Zend Framework | ||
* | ||
* LICENSE | ||
* | ||
* This source file is subject to the new BSD license that is bundled | ||
* with this package in the file LICENSE.txt. | ||
* It is also available through the world-wide-web at this URL: | ||
* http://framework.zend.com/license/new-bsd | ||
* If you did not receive a copy of the license and are unable to | ||
* obtain it through the world-wide-web, please send an email | ||
* to license@zend.com so we can send you a copy immediately. | ||
* | ||
* @category Zend | ||
* @package Zend_Feed | ||
* @subpackage UnitTests | ||
* @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com) | ||
* @license http://framework.zend.com/license/new-bsd New BSD License | ||
* @version $Id$ | ||
*/ | ||
|
||
/** | ||
* @see Zend_Feed | ||
*/ | ||
require_once 'Zend/Feed.php'; | ||
|
||
/** | ||
* @see Zend_Http | ||
*/ | ||
require_once 'Zend/Http/Client.php'; | ||
|
||
/** | ||
* @category Zend | ||
* @package Zend_Feed | ||
* @subpackage UnitTests | ||
* @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com) | ||
* @license http://framework.zend.com/license/new-bsd New BSD License | ||
* @group Zend_Feed | ||
*/ | ||
class Zend_Feed_AbstractFeedTest extends PHPUnit_Framework_TestCase | ||
{ | ||
public $baseUri; | ||
|
||
public $remoteFeedNames = array(); | ||
|
||
public function setUp() | ||
{ | ||
if (!defined('TESTS_ZEND_FEED_IMPORT_ONLINE_BASEURI') | ||
|| !constant('TESTS_ZEND_FEED_IMPORT_ONLINE_BASEURI') | ||
) { | ||
$this->markTestSkipped('ONLINE feed tests are not enabled'); | ||
} | ||
$this->baseUri = rtrim(constant('TESTS_ZEND_FEED_IMPORT_ONLINE_BASEURI'), '/'); | ||
Zend_Feed::setHttpClient(new Zend_Http_Client()); | ||
} | ||
|
||
public function tearDown() | ||
{ | ||
if (!$this->baseUri) { | ||
return parent::tearDown(); | ||
} | ||
|
||
$basePath = dirname(__FILE__) . '/_files/'; | ||
foreach ($this->remoteFeedNames as $file) { | ||
$filename = $basePath . $file; | ||
if (!file_exists($filename)) { | ||
continue; | ||
} | ||
unlink($filename); | ||
} | ||
} | ||
|
||
public function prepareFeed($filename) | ||
{ | ||
$basePath = dirname(__FILE__) . '/_files/'; | ||
$path = $basePath . $filename; | ||
$remote = str_replace('.xml', '.remote.xml', $filename); | ||
$string = file_get_contents($path); | ||
$string = str_replace('XXE_URI', $this->baseUri . '/xxe-info.txt', $string); | ||
file_put_contents($basePath . '/' . $remote, $string); | ||
return $remote; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
<?php | ||
/** | ||
* Zend Framework | ||
* | ||
* LICENSE | ||
* | ||
* This source file is subject to the new BSD license that is bundled | ||
* with this package in the file LICENSE.txt. | ||
* It is also available through the world-wide-web at this URL: | ||
* http://framework.zend.com/license/new-bsd | ||
* If you did not receive a copy of the license and are unable to | ||
* obtain it through the world-wide-web, please send an email | ||
* to license@zend.com so we can send you a copy immediately. | ||
* | ||
* @category Zend | ||
* @package Zend_Feed | ||
* @subpackage UnitTests | ||
* @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com) | ||
* @license http://framework.zend.com/license/new-bsd New BSD License | ||
* @version $Id$ | ||
*/ | ||
|
||
require_once dirname(__FILE__) . '/AbstractFeedTest.php'; | ||
|
||
/** | ||
* @see Zend_Feed_Atom | ||
*/ | ||
require_once 'Zend/Feed/Atom.php'; | ||
|
||
/** | ||
* @category Zend | ||
* @package Zend_Feed | ||
* @subpackage UnitTests | ||
* @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com) | ||
* @license http://framework.zend.com/license/new-bsd New BSD License | ||
* @group Zend_Feed | ||
*/ | ||
class Zend_Feed_AtomTest extends Zend_Feed_AbstractFeedTest | ||
{ | ||
public $remoteFeedNames = array('zend_feed_atom_xxe.remote.xml'); | ||
|
||
public function testPreventsXxeAttacksOnParsing() | ||
{ | ||
$uri = $this->baseUri . '/' . $this->prepareFeed('zend_feed_atom_xxe.xml'); | ||
$this->setExpectedException('Zend_Feed_Exception', 'parse'); | ||
$feed = new Zend_Feed_Atom($uri); | ||
} | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
<?php | ||
/** | ||
* Zend Framework | ||
* | ||
* LICENSE | ||
* | ||
* This source file is subject to the new BSD license that is bundled | ||
* with this package in the file LICENSE.txt. | ||
* It is also available through the world-wide-web at this URL: | ||
* http://framework.zend.com/license/new-bsd | ||
* If you did not receive a copy of the license and are unable to | ||
* obtain it through the world-wide-web, please send an email | ||
* to license@zend.com so we can send you a copy immediately. | ||
* | ||
* @category Zend | ||
* @package Zend_Feed | ||
* @subpackage UnitTests | ||
* @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com) | ||
* @license http://framework.zend.com/license/new-bsd New BSD License | ||
* @version $Id$ | ||
*/ | ||
|
||
require_once dirname(__FILE__) . '/AbstractFeedTest.php'; | ||
|
||
/** | ||
* @see Zend_Feed_Rss | ||
*/ | ||
require_once 'Zend/Feed/Rss.php'; | ||
|
||
/** | ||
* @category Zend | ||
* @package Zend_Feed | ||
* @subpackage UnitTests | ||
* @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com) | ||
* @license http://framework.zend.com/license/new-bsd New BSD License | ||
* @group Zend_Feed | ||
*/ | ||
class Zend_Feed_RssTest extends Zend_Feed_AbstractFeedTest | ||
{ | ||
public $remoteFeedNames = array('zend_feed_rss_xxe.remote.xml'); | ||
|
||
public function testPreventsXxeAttacksOnParsing() | ||
{ | ||
$uri = $this->baseUri . '/' . $this->prepareFeed('zend_feed_rss_xxe.xml'); | ||
$this->setExpectedException('Zend_Feed_Exception', 'parse'); | ||
$feed = new Zend_Feed_Rss($uri); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
xxe-information-disclosed |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
<?xml version="1.0" encoding="utf-8"?> | ||
<!DOCTYPE feed [ <!ENTITY discloseInfo SYSTEM "XXE_URI"> ]> | ||
<feed xmlns="http://www.w3.org/2005/Atom"> | ||
<title type="text">info:&discloseInfo;</title> | ||
</feed> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
<?xml version="1.0" encoding="utf-8"?> | ||
<!DOCTYPE rss [ <!ENTITY discloseInfo SYSTEM "XXE_URI"> ]> | ||
<rss version="2.0"> | ||
<channel> | ||
<title type="text">info:&discloseInfo;</title> | ||
</channel> | ||
</rss> |