mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 12:05:37 +00:00
[CVE-2020-25817] Prevent loading of xml entities
This commit is contained in:
Steve Boyd
parent
472fc4ebb4
commit
3bb435c241
@ -17,3 +17,6 @@ SilverStripe\Dev\DevelopmentAdmin:
|
|||||||
controller: Silverstripe\Dev\DevConfigController
|
controller: Silverstripe\Dev\DevConfigController
|
||||||
links:
|
links:
|
||||||
config: 'View the current config, useful for debugging'
|
config: 'View the current config, useful for debugging'
|
||||||
|
|
||||||
|
SilverStripe\Dev\CSSContentParser:
|
||||||
|
disable_xml_external_entities: true
|
||||||
|
|||||||
@ -2,6 +2,7 @@
|
|||||||
|
|
||||||
namespace SilverStripe\Dev;
|
namespace SilverStripe\Dev;
|
||||||
|
|
||||||
|
use SilverStripe\Core\Config\Configurable;
|
||||||
use SilverStripe\Core\Injector\Injectable;
|
use SilverStripe\Core\Injector\Injectable;
|
||||||
use SimpleXMLElement;
|
use SimpleXMLElement;
|
||||||
use tidy;
|
use tidy;
|
||||||
@ -25,6 +26,7 @@ use Exception;
|
|||||||
class CSSContentParser
|
class CSSContentParser
|
||||||
{
|
{
|
||||||
use Injectable;
|
use Injectable;
|
||||||
|
use Configurable;
|
||||||
|
|
||||||
protected $simpleXML = null;
|
protected $simpleXML = null;
|
||||||
|
|
||||||
@ -56,6 +58,13 @@ class CSSContentParser
|
|||||||
$tidy = $content;
|
$tidy = $content;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Prevent loading of external entities to prevent XXE attacks
|
||||||
|
// Note: as of libxml 2.9.0 entity substitution is disabled by default so this won't be required
|
||||||
|
if ($this->config()->get('disable_xml_external_entities')) {
|
||||||
|
libxml_set_external_entity_loader(function () {
|
||||||
|
return null;
|
||||||
|
});
|
||||||
|
}
|
||||||
$this->simpleXML = @simplexml_load_string($tidy, 'SimpleXMLElement', LIBXML_NOWARNING);
|
$this->simpleXML = @simplexml_load_string($tidy, 'SimpleXMLElement', LIBXML_NOWARNING);
|
||||||
if (!$this->simpleXML) {
|
if (!$this->simpleXML) {
|
||||||
throw new Exception('CSSContentParser::__construct(): Could not parse content.'
|
throw new Exception('CSSContentParser::__construct(): Could not parse content.'
|
||||||
|
|||||||
@ -50,4 +50,14 @@ HTML
|
|||||||
$result = $parser->getBySelector('#A .other');
|
$result = $parser->getBySelector('#A .other');
|
||||||
$this->assertEquals("result", $result[0] . '');
|
$this->assertEquals("result", $result[0] . '');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testXmlEntitiesDisabled()
|
||||||
|
{
|
||||||
|
// CSSContentParser uses simplexml to parse html
|
||||||
|
// Ensure XML entities are not substituted in to prevent XXE attacks
|
||||||
|
$xml = '<!DOCTYPE html [<!ENTITY myentity "World">]><html><div>Hello &myentity;</div></html>';
|
||||||
|
$parser = new CSSContentParser($xml);
|
||||||
|
$div = $parser->getBySelector('div')[0]->asXML();
|
||||||
|
$this->assertEquals('<div>Hello &myentity;</div>', $div);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user