fix #382: XXE DoS in engelsystem

This commit is contained in:
msquare 2017-12-13 16:59:28 +01:00
parent cf7eb80a92
commit a8cf4b9ddf
1 changed files with 3 additions and 2 deletions

View File

@ -1,7 +1,5 @@
<?php <?php
use Engelsystem\Database\DB;
/** /**
* @return string * @return string
*/ */
@ -82,6 +80,7 @@ function admin_import()
if (isset($_FILES['xcal_file']) && ($_FILES['xcal_file']['error'] == 0)) { if (isset($_FILES['xcal_file']) && ($_FILES['xcal_file']['error'] == 0)) {
if (move_uploaded_file($_FILES['xcal_file']['tmp_name'], $import_file)) { if (move_uploaded_file($_FILES['xcal_file']['tmp_name'], $import_file)) {
libxml_use_internal_errors(true); libxml_use_internal_errors(true);
libxml_disable_entity_loader(true);
if (simplexml_load_file($import_file) === false) { if (simplexml_load_file($import_file) === false) {
$valid = false; $valid = false;
error(_('No valid xml/xcal file provided.')); error(_('No valid xml/xcal file provided.'));
@ -425,6 +424,8 @@ function read_xml($file)
{ {
global $xml_import; global $xml_import;
if (!isset($xml_import)) { if (!isset($xml_import)) {
libxml_use_internal_errors(true);
libxml_disable_entity_loader(true);
$xml_import = simplexml_load_file($file); $xml_import = simplexml_load_file($file);
} }
return $xml_import; return $xml_import;