Disable loading of external XML entities when loading XML

Fixes CVE-2011-4107
2011-11-07 14:47:54 +01:00
parent a8a93c3e5a
commit a5e206fbd2
2 changed files with 33 additions and 19 deletions
--- a/libraries/import/ods.php
+++ b/libraries/import/ods.php
@@ -63,6 +63,13 @@ while (! ($finished && $i >= $len) && ! $error && ! $timeout_passed) {

 unset($data);

+/**
+ * Disable loading of external XML entities.
+ */
+if (function_exists('libxml_disable_entity_loader')) {
+    libxml_disable_entity_loader();
+}
+
 /**
 * Load the XML string
 *
--- a/libraries/import/xml.php
+++ b/libraries/import/xml.php
@@ -56,6 +56,13 @@ while (! ($finished && $i >= $len) && ! $error && ! $timeout_passed) {

 unset($data);

+/**
+ * Disable loading of external XML entities.
+ */
+if (function_exists('libxml_disable_entity_loader')) {
+    libxml_disable_entity_loader();
+}
+
 /**
 * Load the XML string
 *