From: Vincent Petry <pvince81@owncloud.com>
Date: Mon, 10 Mar 2014 16:49:47 +0000 (+0100)
Subject: Disable XML entities when parsing XML
X-Git-Tag: v7.0.0alpha2~651^2
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=f4f61f03c9d14eaa16a7a7fcd49f2086dfa56e92;p=nextcloud-server.git

Disable XML entities when parsing XML
---

diff --git a/lib/private/ocsclient.php b/lib/private/ocsclient.php
index fa6e3fac1bb..68dc2c2d6ec 100644
--- a/lib/private/ocsclient.php
+++ b/lib/private/ocsclient.php
@@ -72,7 +72,9 @@ class OC_OCSClient{
 		if($xml==false) {
 			return null;
 		}
-		$data=simplexml_load_string($xml);
+		$loadEntities = libxml_disable_entity_loader(true);
+		$data =	simplexml_load_string($xml);
+		libxml_disable_entity_loader($loadEntities);
 
 		$tmp=$data->data;
 		$cats=array();
@@ -117,7 +119,9 @@ class OC_OCSClient{
 		if($xml==false) {
 			return null;
 		}
-		$data=simplexml_load_string($xml);
+		$loadEntities = libxml_disable_entity_loader(true);
+		$data = simplexml_load_string($xml);
+		libxml_disable_entity_loader($loadEntities);
 
 		$tmp=$data->data->content;
 		for($i = 0; $i < count($tmp); $i++) {
@@ -159,7 +163,9 @@ class OC_OCSClient{
 			OC_Log::write('core', 'Unable to parse OCS content', OC_Log::FATAL);
 			return null;
 		}
-		$data=simplexml_load_string($xml);
+		$loadEntities = libxml_disable_entity_loader(true);
+		$data = simplexml_load_string($xml);
+		libxml_disable_entity_loader($loadEntities);
 
 		$tmp=$data->data->content;
 		$app=array();
@@ -200,7 +206,9 @@ class OC_OCSClient{
 			OC_Log::write('core', 'Unable to parse OCS content', OC_Log::FATAL);
 			return null;
 		}
-		$data=simplexml_load_string($xml);
+		$loadEntities = libxml_disable_entity_loader(true);
+		$data = simplexml_load_string($xml);
+		libxml_disable_entity_loader($loadEntities);
 
 		$tmp=$data->data->content;
 		$app=array();
diff --git a/lib/private/updater.php b/lib/private/updater.php
index f05d5038b76..292752067bf 100644
--- a/lib/private/updater.php
+++ b/lib/private/updater.php
@@ -76,7 +76,9 @@ class Updater extends BasicEmitter {
 		if ($xml == false) {
 			return array();
 		}
+		$loadEntities = libxml_disable_entity_loader(true);
 		$data = @simplexml_load_string($xml);
+		libxml_disable_entity_loader($loadEntities);
 
 		$tmp = array();
 		$tmp['version'] = $data->version;