1 files changed, 11 insertions, 2 deletions

diff --git a/vendor/sabre/dav/lib/Sabre/DAV/Client.php b/vendor/sabre/dav/lib/Sabre/DAV/Client.php
index b9cf043a2..1cec8ff6f 100644
--- a/vendor/sabre/dav/lib/Sabre/DAV/Client.php
+++ b/vendor/sabre/dav/lib/Sabre/DAV/Client.php
@@ -10,7 +10,7 @@ namespace Sabre\DAV;
  *
  * NOTE: This class is experimental, it's api will likely change in the future.
  *
- * @copyright Copyright (C) 2007-2013 fruux GmbH (https://fruux.com/).
+ * @copyright Copyright (C) 2007-2014 fruux GmbH (https://fruux.com/).
  * @author Evert Pot (http://evertpot.com/)
  * @license http://code.google.com/p/sabredav/wiki/License Modified BSD License
  */
@@ -314,7 +314,11 @@ class Client {
             CURLOPT_RETURNTRANSFER => true,
             // Return headers as part of the response
             CURLOPT_HEADER => true,
-            CURLOPT_POSTFIELDS => $body,
+
+            // For security we cast this to a string. If somehow an array could
+            // be passed here, it would be possible for an attacker to use @ to
+            // post local files.
+            CURLOPT_POSTFIELDS => (string)$body,
             // Automatically follow redirects
             CURLOPT_FOLLOWLOCATION => true,
             CURLOPT_MAXREDIRS => 5,
@@ -526,7 +530,12 @@ class Client {
 
         $body = XMLUtil::convertDAVNamespace($body);
 
+        // Fixes an XXE vulnerability on PHP versions older than 5.3.23 or
+        // 5.4.13.
+        $previous = libxml_disable_entity_loader(true);
         $responseXML = simplexml_load_string($body, null, LIBXML_NOBLANKS | LIBXML_NOCDATA);
+        libxml_disable_entity_loader($previous);
+
         if ($responseXML===false) {
             throw new \InvalidArgumentException('The passed data is not valid XML');
         }