MDL-34284 library: Import ZF2012-01 security patch for Zend

2025-08-04 16:36:37 +02:00 · 2013-02-11 15:20:11 +08:00 · 2013-02-11 15:20:11 +08:00 · 55b330e6d8
commit 55b330e6d8
parent c2cef5809e
2 changed files with 8 additions and 1 deletions
--- a/lib/zend/Zend/XmlRpc/Request.php
+++ b/lib/zend/Zend/XmlRpc/Request.php
@ -303,12 +303,15 @@ class Zend_XmlRpc_Request
            return false;
        }

+        // @see ZF-12293 - disable external entities for security purposes
+        $loadEntities = libxml_disable_entity_loader(true);
        try {
            $xml = new SimpleXMLElement($request);
        } catch (Exception $e) {
            // Not valid XML
            $this->_fault = new Zend_XmlRpc_Fault(631);
            $this->_fault->setEncoding($this->getEncoding());
+            libxml_disable_entity_loader($loadEntities);
            return false;
        }

@ -317,6 +320,7 @@ class Zend_XmlRpc_Request
            // Missing method name
            $this->_fault = new Zend_XmlRpc_Fault(632);
            $this->_fault->setEncoding($this->getEncoding());
+            libxml_disable_entity_loader($loadEntities);
            return false;
        }

@ -330,6 +334,7 @@ class Zend_XmlRpc_Request
                if (!isset($param->value)) {
                    $this->_fault = new Zend_XmlRpc_Fault(633);
                    $this->_fault->setEncoding($this->getEncoding());
+                    libxml_disable_entity_loader($loadEntities);
                    return false;
                }

@ -340,6 +345,7 @@ class Zend_XmlRpc_Request
                } catch (Exception $e) {
                    $this->_fault = new Zend_XmlRpc_Fault(636);
                    $this->_fault->setEncoding($this->getEncoding());
+                    libxml_disable_entity_loader($loadEntities);
                    return false;
                }
            }
@ -348,6 +354,7 @@ class Zend_XmlRpc_Request
            $this->_params = $argv;
        }

+        libxml_disable_entity_loader($loadEntities);
        $this->_xml = $request;

        return true;
--- a/lib/zend/readme_moodle.txt
+++ b/lib/zend/readme_moodle.txt
@ -9,4 +9,4 @@ Changes:
 * small fix to error reporting in reflection (MDL-21460, ZF-8980)
 * SOAP and XMLRPC servers overwrite the fault() functions
 * synced and renamed file to version in ZF 1.10.6 (MDL-30603, ZF-11080)
-
+* import security patch (MDL-34284, ZF2012-01, ZF-12293)