tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity

[CVE-2020-25817] Prevent loading of xml entities

Browse Source
This commit is contained in:
Steve Boyd 2021-02-11 13:05:10 +13:00
parent 8167c6f3ef
commit 7f97734a20
4 changed files with 35 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
_config/dev.yml
View File

@ -17,3 +17,6 @@ SilverStripe\Dev\DevelopmentAdmin:
controller: Silverstripe\Dev\DevConfigController controller: Silverstripe\Dev\DevConfigController
links: links:
config: 'View the current config, useful for debugging' config: 'View the current config, useful for debugging'
SilverStripe\Dev\CSSContentParser:
disable_xml_external_entities: true

13
docs/en/04_Changelogs/4.8.0.md
View File

@ -1,5 +1,18 @@
# 4.8.0 (Unreleased) # 4.8.0 (Unreleased)
## Security patches
This release contains security patches. Some of those patches might require some
updates to your project.
* [CVE-2020-25817 XXE Vulnerability in CSSContentParser](https://www.silverstripe.org/download/security-releases/CVE-2020-25817)
### CVE-2020-25817 XXE Vulnerability in CSSContentParser {#CVE-2020-25817}
A tool intended for dev-only use CSSContentParser parses HTML using a the SimpleXML parser. Older versions
of libxml do not have external entity loading disabled by default. This security patches explicitly
disables external entity loading. It can be re-enabled if required via [configuration](/_config/dev.yml)
## Overview ## Overview
- [Support for silverstripe/graphql v4](#graphql-v4) - [Support for silverstripe/graphql v4](#graphql-v4)

9
src/Dev/CSSContentParser.php
View File

@ -2,6 +2,7 @@
namespace SilverStripe\Dev; namespace SilverStripe\Dev;
use SilverStripe\Core\Config\Configurable;
use SilverStripe\Core\Injector\Injectable; use SilverStripe\Core\Injector\Injectable;
use SimpleXMLElement; use SimpleXMLElement;
use tidy; use tidy;
@ -25,6 +26,7 @@ use Exception;
class CSSContentParser class CSSContentParser
{ {
use Injectable; use Injectable;
use Configurable;
protected $simpleXML = null; protected $simpleXML = null;
@ -56,6 +58,13 @@ class CSSContentParser
$tidy = $content; $tidy = $content;
} }
// Prevent loading of external entities to prevent XXE attacks
// Note: as of libxml 2.9.0 entity substitution is disabled by default so this won't be required
if ($this->config()->get('disable_xml_external_entities')) {
libxml_set_external_entity_loader(function () {
return null;
});
}
$this->simpleXML = @simplexml_load_string($tidy, 'SimpleXMLElement', LIBXML_NOWARNING); $this->simpleXML = @simplexml_load_string($tidy, 'SimpleXMLElement', LIBXML_NOWARNING);
if (!$this->simpleXML) { if (!$this->simpleXML) {
throw new Exception('CSSContentParser::__construct(): Could not parse content.' throw new Exception('CSSContentParser::__construct(): Could not parse content.'

10
tests/php/Dev/CSSContentParserTest.php
View File

@ -50,4 +50,14 @@ HTML
$result = $parser->getBySelector('#A .other'); $result = $parser->getBySelector('#A .other');
$this->assertEquals("result", $result[0] . ''); $this->assertEquals("result", $result[0] . '');
} }
public function testXmlEntitiesDisabled()
{
// CSSContentParser uses simplexml to parse html
// Ensure XML entities are not substituted in to prevent XXE attacks
$xml = '<!DOCTYPE html [<!ENTITY myentity "World">]><html><div>Hello &myentity;</div></html>';
$parser = new CSSContentParser($xml);
$div = $parser->getBySelector('div')[0]->asXML();
$this->assertEquals('<div>Hello &amp;myentity;</div>', $div);
}
} }