diff options
| author | Will Norris <will@willnorris.com> | 2013-08-11 18:41:28 -0700 |
|---|---|---|
| committer | Will Norris <will@willnorris.com> | 2013-08-11 18:41:28 -0700 |
| commit | 625c16bb28bb120d262b3f19f89c2c06cb9b0da9 (patch) | |
| tree | 06b1896416e7f2fc66c7cfcd521e63ebfdfab60e /Auth/Yadis/XML.php | |
| parent | ed87a679d5ef18178b0f0c0c41f9e391e21267ac (diff) | |
| download | php-openid-625c16bb28bb120d262b3f19f89c2c06cb9b0da9.zip php-openid-625c16bb28bb120d262b3f19f89c2c06cb9b0da9.tar.gz php-openid-625c16bb28bb120d262b3f19f89c2c06cb9b0da9.tar.bz2 | |
disable external XML entities and libxml errors
thanks to Kousuke Ebihara for the report and patch.
Diffstat (limited to 'Auth/Yadis/XML.php')
| -rw-r--r-- | Auth/Yadis/XML.php | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/Auth/Yadis/XML.php b/Auth/Yadis/XML.php index cf1f5c4..bb13775 100644 --- a/Auth/Yadis/XML.php +++ b/Auth/Yadis/XML.php @@ -234,7 +234,14 @@ class Auth_Yadis_dom extends Auth_Yadis_XMLParser { return false; } - if (!@$this->doc->loadXML($xml_string)) { + // disable external entities and libxml errors + $loader = libxml_disable_entity_loader(true); + $errors = libxml_use_internal_errors(true); + $parse_result = @$this->doc->loadXML($xml_string); + libxml_disable_entity_loader($loader); + libxml_use_internal_errors($errors); + + if (!$parse_result) { return false; } |