diff options
Diffstat (limited to 'vendor/sabre/dav/lib/Sabre/DAV/XMLUtil.php')
-rw-r--r-- | vendor/sabre/dav/lib/Sabre/DAV/XMLUtil.php | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/vendor/sabre/dav/lib/Sabre/DAV/XMLUtil.php b/vendor/sabre/dav/lib/Sabre/DAV/XMLUtil.php index 298398da0..046a59162 100644 --- a/vendor/sabre/dav/lib/Sabre/DAV/XMLUtil.php +++ b/vendor/sabre/dav/lib/Sabre/DAV/XMLUtil.php @@ -5,7 +5,7 @@ namespace Sabre\DAV; /** * XML utilities for WebDAV * - * @copyright Copyright (C) 2007-2013 fruux GmbH (https://fruux.com/). + * @copyright Copyright (C) 2007-2014 fruux GmbH (https://fruux.com/). * @author Evert Pot (http://evertpot.com/) * @license http://code.google.com/p/sabredav/wiki/License Modified BSD License */ @@ -113,6 +113,9 @@ class XMLUtil { // Retaining old error setting $oldErrorSetting = libxml_use_internal_errors(true); + // Fixes an XXE vulnerability on PHP versions older than 5.3.23 or + // 5.4.13. + $oldEntityLoaderSetting = libxml_disable_entity_loader(true); // Clearing any previous errors libxml_clear_errors(); @@ -121,7 +124,7 @@ class XMLUtil { // We don't generally care about any whitespace $dom->preserveWhiteSpace = false; - + $dom->loadXML(self::convertDAVNamespace($xml),LIBXML_NOWARNING | LIBXML_NOERROR); if ($error = libxml_get_last_error()) { @@ -131,6 +134,7 @@ class XMLUtil { // Restoring old mechanism for error handling if ($oldErrorSetting===false) libxml_use_internal_errors(false); + if ($oldEntityLoaderSetting===false) libxml_disable_entity_loader(true); return $dom; |