MDL-34284 library: Import ZF2012-01 security patch for Zend
authorFrederic Massart <fred@moodle.com>
Mon, 11 Feb 2013 07:20:11 +0000 (15:20 +0800)
committerDamyon Wiese <damyon@moodle.com>
Tue, 5 Mar 2013 02:35:56 +0000 (10:35 +0800)
lib/zend/Zend/XmlRpc/Request.php
lib/zend/readme_moodle.txt

index 5a05073..2a11a3a 100644 (file)
@@ -303,12 +303,15 @@ class Zend_XmlRpc_Request
             return false;
         }
 
+        // @see ZF-12293 - disable external entities for security purposes
+        $loadEntities = libxml_disable_entity_loader(true);
         try {
             $xml = new SimpleXMLElement($request);
         } catch (Exception $e) {
             // Not valid XML
             $this->_fault = new Zend_XmlRpc_Fault(631);
             $this->_fault->setEncoding($this->getEncoding());
+            libxml_disable_entity_loader($loadEntities);
             return false;
         }
 
@@ -317,6 +320,7 @@ class Zend_XmlRpc_Request
             // Missing method name
             $this->_fault = new Zend_XmlRpc_Fault(632);
             $this->_fault->setEncoding($this->getEncoding());
+            libxml_disable_entity_loader($loadEntities);
             return false;
         }
 
@@ -330,6 +334,7 @@ class Zend_XmlRpc_Request
                 if (!isset($param->value)) {
                     $this->_fault = new Zend_XmlRpc_Fault(633);
                     $this->_fault->setEncoding($this->getEncoding());
+                    libxml_disable_entity_loader($loadEntities);
                     return false;
                 }
 
@@ -340,6 +345,7 @@ class Zend_XmlRpc_Request
                 } catch (Exception $e) {
                     $this->_fault = new Zend_XmlRpc_Fault(636);
                     $this->_fault->setEncoding($this->getEncoding());
+                    libxml_disable_entity_loader($loadEntities);
                     return false;
                 }
             }
@@ -348,6 +354,7 @@ class Zend_XmlRpc_Request
             $this->_params = $argv;
         }
 
+        libxml_disable_entity_loader($loadEntities);
         $this->_xml = $request;
 
         return true;
index ef52efc..1df8e76 100644 (file)
@@ -9,4 +9,4 @@ Changes:
 * small fix to error reporting in reflection (MDL-21460, ZF-8980)
 * SOAP and XMLRPC servers overwrite the fault() functions
 * synced and renamed file to version in ZF 1.10.6 (MDL-30603, ZF-11080)
-
+* import security patch (MDL-34284, ZF2012-01, ZF-12293)