COmanage Developers List

Author: benno
Date: 2012-07-15 21:54:07 -0400 (Sun, 15 Jul 2012)
New Revision: 315

Modified:
   registry/trunk/lib/Cake/Test/Case/Utility/XmlTest.php
   registry/trunk/lib/Cake/Utility/Xml.php
Log:
Manually apply patch for 
https://github.com/cakephp/cakephp/commit/6c905411bac66caad5e220a70e3d561b8a648507

Modified: registry/trunk/lib/Cake/Test/Case/Utility/XmlTest.php
===================================================================
--- registry/trunk/lib/Cake/Test/Case/Utility/XmlTest.php       2012-07-15 
03:18:44 UTC (rev 314)
+++ registry/trunk/lib/Cake/Test/Case/Utility/XmlTest.php       2012-07-16 
01:54:07 UTC (rev 315)
@@ -901,4 +901,22 @@
                $result = $obj->asXml();
                $this->assertContains('mark & mark', $result);
        }
-}
+
+/**
+ * Test that entity loading is disabled by default.
+ *
+ * @return void
+ */
+       public function testNoEntityLoading() {
+               $file = CAKE . 'VERSION.txt';
+               $xml = <<<XML
+<!DOCTYPE cakephp [
+       <!ENTITY payload SYSTEM "file://$file" >]>
+<request>
+       <xxe>&payload;</xxe>
+</request>
+XML;
+               $result = Xml::build($xml);
+               $this->assertEquals('', (string)$result->xxe);
+       }
+}
\ No newline at end of file

Modified: registry/trunk/lib/Cake/Utility/Xml.php
===================================================================
--- registry/trunk/lib/Cake/Utility/Xml.php     2012-07-15 03:18:44 UTC (rev 
314)
+++ registry/trunk/lib/Cake/Utility/Xml.php     2012-07-16 01:54:07 UTC (rev 
315)
@@ -74,6 +74,8 @@
  * ### Options
  *
  * - `return` Can be 'simplexml' to return object of SimpleXMLElement or 
'domdocument' to return DOMDocument.
+ * - `loadEntities` Defaults to false.  Set to true to enable loading of 
`<!ENTITY` definitions.  This
+ *   is disabled by default for security reasons.
  * - If using array as input, you can pass `options` from Xml::fromArray.
  *
  * @param mixed $input XML string, a path to a file, an URL or an array
@@ -86,26 +88,19 @@
                        $options = array('return' => (string)$options);
                }
                $defaults = array(
-                       'return' => 'simplexml'
+                       'return' => 'simplexml',
+                       'loadEntities' => false,
                );
                $options = array_merge($defaults, $options);
 
                if (is_array($input) || is_object($input)) {
                        return self::fromArray((array)$input, $options);
                } elseif (strpos($input, '<') !== false) {
-                       if ($options['return'] === 'simplexml' || 
$options['return'] === 'simplexmlelement') {
-                               return new SimpleXMLElement($input, 
LIBXML_NOCDATA);
-                       }
-                       $dom = new DOMDocument();
-                       $dom->loadXML($input);
                        return $dom;
+                       return self::_loadXml($input, $options);
                } elseif (file_exists($input) || strpos($input, 'http://') 
=== 0 || strpos($input, 'https://') === 0) {
-                       if ($options['return'] === 'simplexml' || 
$options['return'] === 'simplexmlelement') {
-                               return new SimpleXMLElement($input, 
LIBXML_NOCDATA, true);
-                       }
-                       $dom = new DOMDocument();
-                       $dom->load($input);
-                       return $dom;
+                       $input = file_get_contents($input);
+                       return self::_loadXml($input, $options);
                } elseif (!is_string($input)) {
                        throw new XmlException(__d('cake_dev', 'Invalid 
input.'));
                }
@@ -113,6 +108,32 @@
        }
 
 /**
+ * Parse the input data and create either a SimpleXmlElement object or a 
DOMDocument.
+ *
+ * @param string $input The input to load.
+ * @param array  $options The options to use. See Xml::build()
+ * @return SimpleXmlElement|DOMDocument.
+ */
+       protected static function _loadXml($input, $options) {
+               $hasDisable = function_exists('libxml_disable_entity_loader');
+               $internalErrors = libxml_use_internal_errors(true);
+               if ($hasDisable && !$options['loadEntities']) {
+                       libxml_disable_entity_loader(true);
+               }
+               if ($options['return'] === 'simplexml' || $options['return'] 
=== 'simplexmlelement') {
+                       $xml = new SimpleXMLElement($input, LIBXML_NOCDATA);
+               } else {
+                       $xml = new DOMDocument();
+                       $xml->loadXML($input);
+               }
+               if ($hasDisable && !$options['loadEntities']) {
+                       libxml_disable_entity_loader(false);
+               }
+               libxml_use_internal_errors($internalErrors);
+               return $xml;
+       }
+       
+/**
  * Transform an array into a SimpleXMLElement
  *
  * ### Options