fix(apps): Fix loading info.xml file

Ref: https://bugs.php.net/bug.php?id=62577

Signed-off-by: Joas Schilling <coding@schilljs.com>

lib/base.php

@@ -588,6 +588,11 @@ class OC {
 	}
 
 	public static function init(): void {
+		// prevent any XML processing from loading external entities
+		libxml_set_external_entity_loader(static function () {
+			return null;
+		});
+
 		// calculate the root directories
 		OC::$SERVERROOT = str_replace("\\", '/', substr(__DIR__, 0, -4));
 

lib/private/App/InfoParser.php

@@ -31,7 +31,7 @@ namespace OC\App;
 
 use OCP\ICache;
 use function libxml_disable_entity_loader;
-use function simplexml_load_file;
+use function simplexml_load_string;
 
 class InfoParser {
 	/** @var \OCP\ICache|null */
@@ -63,10 +63,10 @@ class InfoParser {
 		libxml_use_internal_errors(true);
 		if ((PHP_VERSION_ID < 80000)) {
 			$loadEntities = libxml_disable_entity_loader(false);
-			$xml = simplexml_load_file($file);
+			$xml = simplexml_load_string(file_get_contents($file));
 			libxml_disable_entity_loader($loadEntities);
 		} else {
-			$xml = simplexml_load_file($file);
+			$xml = simplexml_load_string(file_get_contents($file));
 		}
 
 		if ($xml === false) {

lib/private/Installer.php

@@ -334,10 +334,10 @@ class Installer {
 					// Check if appinfo/info.xml has the same app ID as well
 					if ((PHP_VERSION_ID < 80000)) {
 						$loadEntities = libxml_disable_entity_loader(false);
-						$xml = simplexml_load_file($extractDir . '/' . $folders[0] . '/appinfo/info.xml');
+						$xml = simplexml_load_string(file_get_contents($extractDir . '/' . $folders[0] . '/appinfo/info.xml'));
 						libxml_disable_entity_loader($loadEntities);
 					} else {
-						$xml = simplexml_load_file($extractDir . '/' . $folders[0] . '/appinfo/info.xml');
+						$xml = simplexml_load_string(file_get_contents($extractDir . '/' . $folders[0] . '/appinfo/info.xml'));
 					}
 					if ((string)$xml->id !== $appId) {
 						throw new \Exception(