From cdc8454cf112006e4199b6221bcaa3c3a509b564 Mon Sep 17 00:00:00 2001 From: Thomas Willingham Date: Sat, 12 Apr 2014 18:13:37 +0100 Subject: Update sabre --- vendor/sabre/dav/lib/Sabre/DAV/Client.php | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) (limited to 'vendor/sabre/dav/lib/Sabre/DAV/Client.php') diff --git a/vendor/sabre/dav/lib/Sabre/DAV/Client.php b/vendor/sabre/dav/lib/Sabre/DAV/Client.php index b9cf043a2..1cec8ff6f 100644 --- a/vendor/sabre/dav/lib/Sabre/DAV/Client.php +++ b/vendor/sabre/dav/lib/Sabre/DAV/Client.php @@ -10,7 +10,7 @@ namespace Sabre\DAV; * * NOTE: This class is experimental, it's api will likely change in the future. * - * @copyright Copyright (C) 2007-2013 fruux GmbH (https://fruux.com/). + * @copyright Copyright (C) 2007-2014 fruux GmbH (https://fruux.com/). * @author Evert Pot (http://evertpot.com/) * @license http://code.google.com/p/sabredav/wiki/License Modified BSD License */ @@ -314,7 +314,11 @@ class Client { CURLOPT_RETURNTRANSFER => true, // Return headers as part of the response CURLOPT_HEADER => true, - CURLOPT_POSTFIELDS => $body, + + // For security we cast this to a string. If somehow an array could + // be passed here, it would be possible for an attacker to use @ to + // post local files. + CURLOPT_POSTFIELDS => (string)$body, // Automatically follow redirects CURLOPT_FOLLOWLOCATION => true, CURLOPT_MAXREDIRS => 5, @@ -526,7 +530,12 @@ class Client { $body = XMLUtil::convertDAVNamespace($body); + // Fixes an XXE vulnerability on PHP versions older than 5.3.23 or + // 5.4.13. + $previous = libxml_disable_entity_loader(true); $responseXML = simplexml_load_string($body, null, LIBXML_NOBLANKS | LIBXML_NOCDATA); + libxml_disable_entity_loader($previous); + if ($responseXML===false) { throw new \InvalidArgumentException('The passed data is not valid XML'); } -- cgit v1.2.3