fix(apps): Fix loading info.xml file

Ref: https://bugs.php.net/bug.php?id=62577

Signed-off-by: Joas Schilling <coding@schilljs.com>

diff --git a/lib/base.php b/lib/base.php
index c42f427ca40b7d9903ddd26c99c2ee29534c9d3f..98e05c6a700ab4f4140651b3f81380a8f4b9e403 100644 (file)
--- a/lib/base.php
+++ b/lib/base.php
@@ -545,6 +545,11 @@ class OC {
        }
 
        public static function init() {
+               // prevent any XML processing from loading external entities
+               libxml_set_external_entity_loader(static function () {
+                       return null;
+               });
+
                // calculate the root directories
                OC::$SERVERROOT = str_replace("\\", '/', substr(__DIR__, 0, -4));
 

diff --git a/lib/private/App/CodeChecker/DatabaseSchemaChecker.php b/lib/private/App/CodeChecker/DatabaseSchemaChecker.php
index 595a3fe0209c29afdee718177350b4ffd600bfe8..8d0dad63793264ef2239d053a15c9e7cdc1697ee 100644 (file)
--- a/lib/private/App/CodeChecker/DatabaseSchemaChecker.php
+++ b/lib/private/App/CodeChecker/DatabaseSchemaChecker.php
@@ -42,7 +42,7 @@ class DatabaseSchemaChecker {
 
                libxml_use_internal_errors(true);
                $loadEntities = libxml_disable_entity_loader(false);
-               $xml = simplexml_load_file($appPath . '/appinfo/database.xml');
+               $xml = simplexml_load_string(file_get_contents($appPath . '/appinfo/database.xml'));
                libxml_disable_entity_loader($loadEntities);
 
 

diff --git a/lib/private/App/CodeChecker/InfoChecker.php b/lib/private/App/CodeChecker/InfoChecker.php
index 038fd34f436bcb9269f7ae03e555301627452dfc..d46a6dbc541551e18d0f14b07b68c2c5d00a5abe 100644 (file)
--- a/lib/private/App/CodeChecker/InfoChecker.php
+++ b/lib/private/App/CodeChecker/InfoChecker.php
@@ -44,6 +44,14 @@ class InfoChecker extends BasicEmitter {
                        throw new \RuntimeException("No app with given id <$appId> known.");
                }
 
+               libxml_set_external_entity_loader(static function ($public, $system, $context) {
+                       if ($system === \OC::$SERVERROOT . '/resources/app-info.xsd'
+                               || \OC::$SERVERROOT . '/resources/app-info-shipped.xsd') {
+                               return $system;
+                       }
+                       return null;
+               });
+
                $xml = new \DOMDocument();
                $xml->load($appPath . '/appinfo/info.xml');
 
@@ -68,6 +76,10 @@ class InfoChecker extends BasicEmitter {
                        }
                }
 
+               libxml_set_external_entity_loader(static function () {
+                       return null;
+               });
+
                return $errors;
        }
 

diff --git a/lib/private/App/InfoParser.php b/lib/private/App/InfoParser.php
index c87dd1ae2a417981922c6f59a2957a8ca42a0282..60f15f64a1e53e509be3c0f5939a6415dc33fc48 100644 (file)
--- a/lib/private/App/InfoParser.php
+++ b/lib/private/App/InfoParser.php
@@ -33,7 +33,7 @@ namespace OC\App;
 
 use OCP\ICache;
 use function libxml_disable_entity_loader;
-use function simplexml_load_file;
+use function simplexml_load_string;
 
 class InfoParser {
        /** @var \OCP\ICache|null */
@@ -65,10 +65,10 @@ class InfoParser {
                libxml_use_internal_errors(true);
                if ((PHP_VERSION_ID < 80000)) {
                        $loadEntities = libxml_disable_entity_loader(false);
-                       $xml = simplexml_load_file($file);
+                       $xml = simplexml_load_string(file_get_contents($file));
                        libxml_disable_entity_loader($loadEntities);
                } else {
-                       $xml = simplexml_load_file($file);
+                       $xml = simplexml_load_string(file_get_contents($file));
                }
 
                if ($xml === false) {

diff --git a/lib/private/DB/MDB2SchemaReader.php b/lib/private/DB/MDB2SchemaReader.php
index 687438495b196760de3403b496bd860652c2a5da..ba26a7d85767b75c738a6fa398110499c5841d83 100644 (file)
--- a/lib/private/DB/MDB2SchemaReader.php
+++ b/lib/private/DB/MDB2SchemaReader.php
@@ -67,7 +67,7 @@ class MDB2SchemaReader {
         */
        public function loadSchemaFromFile($file, Schema $schema) {
                $loadEntities = libxml_disable_entity_loader(false);
-               $xml = simplexml_load_file($file);
+               $xml = simplexml_load_string(file_get_contents($file));
                libxml_disable_entity_loader($loadEntities);
                foreach ($xml->children() as $child) {
                        /**

diff --git a/lib/private/Installer.php b/lib/private/Installer.php
index 2d09065be5cf318c2ea2db4b8047369693fdbff9..d4151c48c40cd5bda935093e9bf2e5cea53e1731 100644 (file)
--- a/lib/private/Installer.php
+++ b/lib/private/Installer.php
@@ -344,10 +344,10 @@ class Installer {
                                                // Check if appinfo/info.xml has the same app ID as well
                                                if ((PHP_VERSION_ID < 80000)) {
                                                        $loadEntities = libxml_disable_entity_loader(false);
-                                                       $xml = simplexml_load_file($extractDir . '/' . $folders[0] . '/appinfo/info.xml');
+                                                       $xml = simplexml_load_string(file_get_contents($extractDir . '/' . $folders[0] . '/appinfo/info.xml'));
                                                        libxml_disable_entity_loader($loadEntities);
                                                } else {
-                                                       $xml = simplexml_load_file($extractDir . '/' . $folders[0] . '/appinfo/info.xml');
+                                                       $xml = simplexml_load_string(file_get_contents($extractDir . '/' . $folders[0] . '/appinfo/info.xml'));
                                                }
                                                if ((string)$xml->id !== $appId) {
                                                        throw new \Exception(