This repository was archived by the owner on Apr 28, 2020. It is now read-only.
File tree Expand file tree Collapse file tree 3 files changed +10
-26
lines changed Expand file tree Collapse file tree 3 files changed +10
-26
lines changed Original file line number Diff line number Diff line change 10
10
namespace Zend \XmlRpc ;
11
11
12
12
use SimpleXMLElement ;
13
+ use ZendXml \Security as XmlSecurity ;
13
14
14
15
/**
15
16
* XMLRPC Faults
@@ -180,10 +181,10 @@ public function loadXml($fault)
180
181
181
182
$ xmlErrorsFlag = libxml_use_internal_errors (true );
182
183
try {
183
- $ xml = new SimpleXMLElement ($ fault );
184
- } catch (\Exception $ e ) {
185
- // Not valid XML
186
- throw new Exception \InvalidArgumentException ('Failed to parse XML fault: ' . $ e ->getMessage (), 500 , $ e );
184
+ $ xml = XmlSecurity:: scan ($ fault );
185
+ } catch (\ZendXml \ Exception \ RuntimeException $ e ) {
186
+ // Unsecure XML
187
+ throw new Exception \RuntimeException ('Failed to parse XML fault: ' . $ e ->getMessage (), 500 , $ e );
187
188
}
188
189
if (!$ xml instanceof SimpleXMLElement) {
189
190
$ errors = libxml_get_errors ();
Original file line number Diff line number Diff line change 9
9
10
10
namespace Zend \XmlRpc ;
11
11
12
+ use ZendXml \Security as XmlSecurity ;
13
+
12
14
/**
13
15
* XmlRpc Response
14
16
*
@@ -151,28 +153,9 @@ public function loadXml($response)
151
153
return false ;
152
154
}
153
155
154
- // @see ZF-12293 - disable external entities for security purposes
155
- $ loadEntities = libxml_disable_entity_loader (true );
156
- $ useInternalXmlErrors = libxml_use_internal_errors (true );
157
156
try {
158
- $ dom = new \DOMDocument ;
159
- $ dom ->loadXML ($ response );
160
- foreach ($ dom ->childNodes as $ child ) {
161
- if ($ child ->nodeType === XML_DOCUMENT_TYPE_NODE ) {
162
- throw new Exception \ValueException (
163
- 'Invalid XML: Detected use of illegal DOCTYPE '
164
- );
165
- }
166
- }
167
- // TODO: Locate why this passes tests but a simplexml import doesn't
168
- //$xml = simplexml_import_dom($dom);
169
- $ xml = new \SimpleXMLElement ($ response );
170
- libxml_disable_entity_loader ($ loadEntities );
171
- libxml_use_internal_errors ($ useInternalXmlErrors );
172
- } catch (\Exception $ e ) {
173
- libxml_disable_entity_loader ($ loadEntities );
174
- libxml_use_internal_errors ($ useInternalXmlErrors );
175
- // Not valid XML
157
+ $ xml = XmlSecurity::scan ($ response );
158
+ } catch (\ZendXml \Exception \RuntimeException $ e ) {
176
159
$ this ->fault = new Fault (651 );
177
160
$ this ->fault ->setEncoding ($ this ->getEncoding ());
178
161
return false ;
Original file line number Diff line number Diff line change @@ -146,7 +146,7 @@ public function testLoadXml()
146
146
147
147
public function testLoadXmlThrowsExceptionOnInvalidInput ()
148
148
{
149
- $ this ->setExpectedException ('Zend\XmlRpc\Exception\InvalidArgumentException ' , 'Failed to parse XML fault: String could not be parsed as XML ' );
149
+ $ this ->setExpectedException ('Zend\XmlRpc\Exception\InvalidArgumentException ' , 'Failed to parse XML fault ' );
150
150
$ parsed = $ this ->_fault ->loadXml ('foo ' );
151
151
}
152
152
You can’t perform that action at this time.
0 commit comments