[Pkg-owncloud-commits] [php-sabredav] 05/23: XXE security issue.
David Prévot
taffit at moszumanska.debian.org
Wed Mar 19 17:41:39 UTC 2014
This is an automated email from the git hooks/post-receive script.
taffit pushed a commit to branch 1.7
in repository php-sabredav.
commit e3f46e0ecf83cf1d2ebf54908cde7b5ec170aa2c
Author: Evert Pot <evert at rooftopsolutions.nl>
Date: Wed Feb 26 17:13:46 2014 -0500
XXE security issue.
Issue #414.
---
ChangeLog | 3 ++-
lib/Sabre/DAV/Client.php | 5 +++++
lib/Sabre/DAV/Locks/Plugin.php | 7 +++++++
lib/Sabre/DAV/XMLUtil.php | 6 +++++-
4 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 3af96a3..5e303d2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,6 @@
-1.7.11-stable (2014-??-??)
+1.7.11-stable (2014-02-26)
* Fixed: Issue #407: large downloads failed.
+ * Fixed: Issue #414: XXE security problem on older PHP versions.
1.7.10-stable (2014-02-09)
* The zip release ships with sabre/vobject 2.1.3.
diff --git a/lib/Sabre/DAV/Client.php b/lib/Sabre/DAV/Client.php
index 959025e..8bd7c7a 100644
--- a/lib/Sabre/DAV/Client.php
+++ b/lib/Sabre/DAV/Client.php
@@ -530,7 +530,12 @@ class Sabre_DAV_Client {
$body = Sabre_DAV_XMLUtil::convertDAVNamespace($body);
+ // Fixes an XXE vulnerability on PHP versions older than 5.3.23 or
+ // 5.4.13.
+ $previous = libxml_disable_entity_loader(true);
$responseXML = simplexml_load_string($body, null, LIBXML_NOBLANKS | LIBXML_NOCDATA);
+ libxml_disable_entity_loader($previous);
+
if ($responseXML===false) {
throw new InvalidArgumentException('The passed data is not valid XML');
}
diff --git a/lib/Sabre/DAV/Locks/Plugin.php b/lib/Sabre/DAV/Locks/Plugin.php
index 07e4e3d..ff724ea 100644
--- a/lib/Sabre/DAV/Locks/Plugin.php
+++ b/lib/Sabre/DAV/Locks/Plugin.php
@@ -619,10 +619,17 @@ class Sabre_DAV_Locks_Plugin extends Sabre_DAV_ServerPlugin {
*/
protected function parseLockRequest($body) {
+ // Fixes an XXE vulnerability on PHP versions older than 5.3.23 or
+ // 5.4.13.
+ $previous = libxml_disable_entity_loader(true);
+
+
$xml = simplexml_load_string(
Sabre_DAV_XMLUtil::convertDAVNamespace($body),
null,
LIBXML_NOWARNING);
+ libxml_disable_entity_loader($previous);
+
$xml->registerXPathNamespace('d','urn:DAV');
$lockInfo = new Sabre_DAV_Locks_LockInfo();
diff --git a/lib/Sabre/DAV/XMLUtil.php b/lib/Sabre/DAV/XMLUtil.php
index 2b9ea5d..e090cc1 100644
--- a/lib/Sabre/DAV/XMLUtil.php
+++ b/lib/Sabre/DAV/XMLUtil.php
@@ -113,6 +113,9 @@ class Sabre_DAV_XMLUtil {
// Retaining old error setting
$oldErrorSetting = libxml_use_internal_errors(true);
+ // Fixes an XXE vulnerability on PHP versions older than 5.3.23 or
+ // 5.4.13.
+ $oldEntityLoaderSetting = libxml_disable_entity_loader(true);
// Clearing any previous errors
libxml_clear_errors();
@@ -121,7 +124,7 @@ class Sabre_DAV_XMLUtil {
// We don't generally care about any whitespace
$dom->preserveWhiteSpace = false;
-
+
$dom->loadXML(self::convertDAVNamespace($xml),LIBXML_NOWARNING | LIBXML_NOERROR);
if ($error = libxml_get_last_error()) {
@@ -131,6 +134,7 @@ class Sabre_DAV_XMLUtil {
// Restoring old mechanism for error handling
if ($oldErrorSetting===false) libxml_use_internal_errors(false);
+ if ($oldEntityLoaderSetting===false) libxml_disable_entity_loader(true);
return $dom;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-owncloud/php-sabredav.git
More information about the Pkg-owncloud-commits
mailing list