Skip to content
This repository has been archived by the owner on Jan 30, 2020. It is now read-only.

Commit

Permalink
Merge branch 'hotfix/xee'
Browse files Browse the repository at this point in the history
  • Loading branch information
@weierophinney
weierophinney committed Aug 17, 2012
110 parents 2cc9607 + bbd31f7 + aff5dfd + 3daad46 + a2bd1ba + b82fa59 + 4190868 + 3a6b7ad + 8e745f6 + bab7086 + c5a5d19 + b468bc1 + d79794c + 508b344 + d16deed + f38e96a + c4a3687 + 54465f7 + 4ad15e4 + 9aa47da + 619d24d + ddfa8f2 + 8e7172b + e5fc69f + 284a721 + 6d3db4c + b99e8c3 + a52dcef + 1d21066 + cccc24c + 81bd699 + dfb38ed + b796f3d + d49dbc2 + 547433c + 0c9ce04 + a76e26a + 2914396 + 7ca3746 + f1b292d + 406112f + 5a9edd3 + f65c9f6 + c54156c + 5e55e82 + 352e42b + fa459f5 + 3eff137 + 3648ab6 + 4096125 + 0037391 + 9bdfcd9 + 6cd1498 + ecac99d + 199ed75 + b8507f7 + ef400bd + decb6ae + 860b39d + 243eca6 + d56af72 + 1aaf7f9 + 26b27a9 + 40cd50e + 986898b + d2780b7 + 49abb1d + cb5a738 + 21d3bef + 4748875 + 3331086 + bfed36c + b56e9b8 + 765b017 + b2cddce + 1c63803 + dd490e0 + c0425c2 + 128ed7f + 4d88940 + 94b3f1e + 9a0d8cf + 12135ad + 1169a58 + 6cdb5dc + 15950e5 + 7e68fb2 + 4bda4a9 + 537893f + 4cf10f8 + dd5b294 + 3ac5190 + 63d8503 + de5ff9e + f8868a0 + e3f8a27 + 634cf99 + c2cd236 + 189672f + d50054c + 8fb183a + 9f28eab + 2e7e2e2 + 7c64770 + 81a21d6 + cddc550 + eadb29a + 339c074 + 543ff20 + fb175bb commit ba78039
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 7 deletions.
26 changes: 20 additions & 6 deletions src/Reader/Reader.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -269,10 +269,17 @@ public static function import($uri, $etag = null, $lastModified = null)
public static function importString($string)
{
$libxml_errflag = libxml_use_internal_errors(true);
libxml_disable_entity_loader(true);
$oldValue = libxml_disable_entity_loader(true);
$dom = new DOMDocument;
$status = $dom->loadXML(trim($string));
libxml_disable_entity_loader(false);
foreach ($dom->childNodes as $child) {
if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) {
throw new Exception\InvalidArgumentException(
'Invalid XML: Detected use of illegal DOCTYPE'
);
}
}
libxml_disable_entity_loader($oldValue);
libxml_use_internal_errors($libxml_errflag);

if (!$status) {
Expand Down Expand Up @@ -339,10 +346,10 @@ public static function findFeedLinks($uri)
}
$responseHtml = $response->getBody();
$libxml_errflag = libxml_use_internal_errors(true);
libxml_disable_entity_loader(true);
$oldValue = libxml_disable_entity_loader(true);
$dom = new DOMDocument;
$status = $dom->loadHTML(trim($responseHtml));
libxml_disable_entity_loader(false);
libxml_disable_entity_loader($oldValue);
libxml_use_internal_errors($libxml_errflag);
if (!$status) {
// Build error message
Expand Down Expand Up @@ -377,10 +384,17 @@ public static function detectType($feed, $specOnly = false)
} elseif (is_string($feed) && !empty($feed)) {
ErrorHandler::start(E_NOTICE|E_WARNING);
ini_set('track_errors', 1);
libxml_disable_entity_loader(true);
$oldValue = libxml_disable_entity_loader(true);
$dom = new DOMDocument;
$status = $dom->loadXML($feed);
libxml_disable_entity_loader(false);
foreach ($dom->childNodes as $child) {
if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) {
throw new Exception\InvalidArgumentException(
'Invalid XML: Detected use of illegal DOCTYPE'
);
}
}
libxml_disable_entity_loader($oldValue);
ini_restore('track_errors');
ErrorHandler::stop();
if (!$status) {
Expand Down
3 changes: 2 additions & 1 deletion test/Reader/ReaderTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -270,10 +270,11 @@ public function testRegistersUserExtension()

public function testXxePreventionOnFeedParsing()
{
$this->setExpectedException('Zend\Feed\Reader\Exception\InvalidArgumentException');
$string = file_get_contents($this->_feedSamplePath.'/Reader/xxe-atom10.xml');
$string = str_replace('XXE_URI', $this->_feedSamplePath.'/Reader/xxe-info.txt', $string);
$feed = Reader\Reader::importString($string);
$this->assertEquals('info:', $feed->getTitle());
//$this->assertEquals('info:', $feed->getTitle());
}

protected function _getTempDirectory()
Expand Down

0 comments on commit ba78039

Please sign in to comment.