fix(apps): Fix loading info.xml file

Ref: https://bugs.php.net/bug.php?id=62577

Signed-off-by: Joas Schilling <coding@schilljs.com>

diff --git a/lib/base.php b/lib/base.php
index 3cca7ab3a96aa87a39f7ad26d1e5bdf9951cd6f6..732fc55be3e0fd9a428d6206833b0a387f75a06c 100644 (file)
--- a/lib/base.php
+++ b/lib/base.php
@@ -582,6 +582,11 @@ class OC {
        }
 
        public static function init(): void {
+               // prevent any XML processing from loading external entities
+               libxml_set_external_entity_loader(static function () {
+                       return null;
+               });
+
                // calculate the root directories
                OC::$SERVERROOT = str_replace("\\", '/', substr(__DIR__, 0, -4));
 

diff --git a/lib/private/App/InfoParser.php b/lib/private/App/InfoParser.php
index c0f69e615bdf752a8bc3f8e1f41eeb54dcf80228..79d051fd2a1f615235e55a714cdccac1bc9c9abf 100644 (file)
--- a/lib/private/App/InfoParser.php
+++ b/lib/private/App/InfoParser.php
@@ -31,7 +31,7 @@ namespace OC\App;
 
 use OCP\ICache;
 use function libxml_disable_entity_loader;
-use function simplexml_load_file;
+use function simplexml_load_string;
 
 class InfoParser {
        /** @var \OCP\ICache|null */
@@ -63,10 +63,10 @@ class InfoParser {
                libxml_use_internal_errors(true);
                if ((PHP_VERSION_ID < 80000)) {
                        $loadEntities = libxml_disable_entity_loader(false);
-                       $xml = simplexml_load_file($file);
+                       $xml = simplexml_load_string(file_get_contents($file));
                        libxml_disable_entity_loader($loadEntities);
                } else {
-                       $xml = simplexml_load_file($file);
+                       $xml = simplexml_load_string(file_get_contents($file));
                }
 
                if ($xml === false) {

diff --git a/lib/private/Installer.php b/lib/private/Installer.php
index 43c3db7c3fdf9f9f69209d3edda9ebeda4de9819..0458c14da8a2976ed9f272f710947b5dad890df9 100644 (file)
--- a/lib/private/Installer.php
+++ b/lib/private/Installer.php
@@ -333,10 +333,10 @@ class Installer {
                                        // Check if appinfo/info.xml has the same app ID as well
                                        if ((PHP_VERSION_ID < 80000)) {
                                                $loadEntities = libxml_disable_entity_loader(false);
-                                               $xml = simplexml_load_file($extractDir . '/' . $folders[0] . '/appinfo/info.xml');
+                                               $xml = simplexml_load_string(file_get_contents($extractDir . '/' . $folders[0] . '/appinfo/info.xml'));
                                                libxml_disable_entity_loader($loadEntities);
                                        } else {
-                                               $xml = simplexml_load_file($extractDir . '/' . $folders[0] . '/appinfo/info.xml');
+                                               $xml = simplexml_load_string(file_get_contents($extractDir . '/' . $folders[0] . '/appinfo/info.xml'));
                                        }
                                        if ((string)$xml->id !== $appId) {
                                                throw new \Exception(