summaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/base.php5
-rw-r--r--lib/private/App/InfoParser.php6
-rw-r--r--lib/private/Installer.php4
3 files changed, 10 insertions, 5 deletions
diff --git a/lib/base.php b/lib/base.php
index 09ec5be441b..ed62494ab30 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -588,6 +588,11 @@ class OC {
}
public static function init(): void {
+ // prevent any XML processing from loading external entities
+ libxml_set_external_entity_loader(static function () {
+ return null;
+ });
+
// calculate the root directories
OC::$SERVERROOT = str_replace("\\", '/', substr(__DIR__, 0, -4));
diff --git a/lib/private/App/InfoParser.php b/lib/private/App/InfoParser.php
index c0f69e615bd..79d051fd2a1 100644
--- a/lib/private/App/InfoParser.php
+++ b/lib/private/App/InfoParser.php
@@ -31,7 +31,7 @@ namespace OC\App;
use OCP\ICache;
use function libxml_disable_entity_loader;
-use function simplexml_load_file;
+use function simplexml_load_string;
class InfoParser {
/** @var \OCP\ICache|null */
@@ -63,10 +63,10 @@ class InfoParser {
libxml_use_internal_errors(true);
if ((PHP_VERSION_ID < 80000)) {
$loadEntities = libxml_disable_entity_loader(false);
- $xml = simplexml_load_file($file);
+ $xml = simplexml_load_string(file_get_contents($file));
libxml_disable_entity_loader($loadEntities);
} else {
- $xml = simplexml_load_file($file);
+ $xml = simplexml_load_string(file_get_contents($file));
}
if ($xml === false) {
diff --git a/lib/private/Installer.php b/lib/private/Installer.php
index 43c3db7c3fd..0458c14da8a 100644
--- a/lib/private/Installer.php
+++ b/lib/private/Installer.php
@@ -333,10 +333,10 @@ class Installer {
// Check if appinfo/info.xml has the same app ID as well
if ((PHP_VERSION_ID < 80000)) {
$loadEntities = libxml_disable_entity_loader(false);
- $xml = simplexml_load_file($extractDir . '/' . $folders[0] . '/appinfo/info.xml');
+ $xml = simplexml_load_string(file_get_contents($extractDir . '/' . $folders[0] . '/appinfo/info.xml'));
libxml_disable_entity_loader($loadEntities);
} else {
- $xml = simplexml_load_file($extractDir . '/' . $folders[0] . '/appinfo/info.xml');
+ $xml = simplexml_load_string(file_get_contents($extractDir . '/' . $folders[0] . '/appinfo/info.xml'));
}
if ((string)$xml->id !== $appId) {
throw new \Exception(