aboutsummaryrefslogtreecommitdiffstats
path: root/vendor/sabre/dav/lib/Sabre/DAV/Locks/Plugin.php
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/sabre/dav/lib/Sabre/DAV/Locks/Plugin.php')
-rw-r--r--vendor/sabre/dav/lib/Sabre/DAV/Locks/Plugin.php9
1 files changed, 8 insertions, 1 deletions
diff --git a/vendor/sabre/dav/lib/Sabre/DAV/Locks/Plugin.php b/vendor/sabre/dav/lib/Sabre/DAV/Locks/Plugin.php
index ece363e1b..34e1b53f9 100644
--- a/vendor/sabre/dav/lib/Sabre/DAV/Locks/Plugin.php
+++ b/vendor/sabre/dav/lib/Sabre/DAV/Locks/Plugin.php
@@ -14,7 +14,7 @@ use Sabre\DAV;
* $lockPlugin = new Sabre\DAV\Locks\Plugin($lockBackend);
* $server->addPlugin($lockPlugin);
*
- * @copyright Copyright (C) 2007-2013 fruux GmbH (https://fruux.com/).
+ * @copyright Copyright (C) 2007-2014 fruux GmbH (https://fruux.com/).
* @author Evert Pot (http://evertpot.com/)
* @license http://code.google.com/p/sabredav/wiki/License Modified BSD License
*/
@@ -621,10 +621,17 @@ class Plugin extends DAV\ServerPlugin {
*/
protected function parseLockRequest($body) {
+ // Fixes an XXE vulnerability on PHP versions older than 5.3.23 or
+ // 5.4.13.
+ $previous = libxml_disable_entity_loader(true);
+
+
$xml = simplexml_load_string(
DAV\XMLUtil::convertDAVNamespace($body),
null,
LIBXML_NOWARNING);
+ libxml_disable_entity_loader($previous);
+
$xml->registerXPathNamespace('d','urn:DAV');
$lockInfo = new LockInfo();
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-12 02:53:00 +0000