Description: CVE-2013-1915: Vulnerable to XXE attacks
 This upstream patch has been backported to the Wheezy version.
Author: Thomas Goirand <zigo@debian.org>
Bug-Debian: http://bugs.debian.org/704625
Origin: upstream, https://github.com/SpiderLabs/ModSecurity/commit/d4d80b38aa85eccb26e3c61b04d16e8ca5de76fe
Reviewed-By: Alberto Gonzalez Iniesta <agi@inittab.org>
Last-Update: <2013-04-06>

--- modsecurity-apache-2.6.6.orig/apache2/msc_xml.c
+++ modsecurity-apache-2.6.6/apache2/msc_xml.c
@@ -14,17 +14,27 @@
 
 #include "msc_xml.h"
 
+static xmlParserInputBufferPtr
+xml_unload_external_entity(const char *URI, xmlCharEncoding enc)    {
+    return NULL;
+}
 
 /**
  * Initialise XML parser.
  */
 int xml_init(modsec_rec *msr, char **error_msg) {
+    xmlParserInputBufferCreateFilenameFunc entity;
+
     if (error_msg == NULL) return -1;
     *error_msg = NULL;
 
     msr->xml = apr_pcalloc(msr->mp, sizeof(xml_data));
     if (msr->xml == NULL) return -1;
 
+    if(msr->txcfg->xml_external_entity == 0)    {
+        entity = xmlParserInputBufferCreateFilenameDefault(xml_unload_external_entity);
+    }
+
     return 1;
 }
 
--- modsecurity-apache-2.6.6.orig/apache2/apache2_config.c
+++ modsecurity-apache-2.6.6/apache2/apache2_config.c
@@ -128,6 +128,9 @@ void *create_directory_config(apr_pool_t
     /* Collection timeout */
     dcfg->col_timeout = NOT_SET;
 
+    /* xml external entity */
+    dcfg->xml_external_entity = NOT_SET;
+
     return dcfg;
 }
 
@@ -518,6 +521,10 @@ void *merge_directory_configs(apr_pool_t
     merged->col_timeout = (child->col_timeout == NOT_SET
         ? parent->col_timeout : child->col_timeout);
 
+    /* xml external entity */
+    merged->xml_external_entity = (child->xml_external_entity == NOT_SET
+        ? parent->xml_external_entity : child->xml_external_entity);
+
     return merged;
 }
 
@@ -615,6 +622,9 @@ void init_directory_config(directory_con
     if (dcfg->disable_backend_compression == NOT_SET) dcfg->disable_backend_compression = 0;
 
     if (dcfg->col_timeout == NOT_SET) dcfg->col_timeout = 3600;
+
+    /* xml external entity */
+    if (dcfg->xml_external_entity == NOT_SET) dcfg->xml_external_entity = 0;
 }
 
 /**
@@ -1961,6 +1971,32 @@ static const char *cmd_web_app_id(cmd_pa
     return NULL;
 }
 
+/**
+* \brief Add SecXmlExternalEntity configuration option
+*
+* \param cmd Pointer to configuration data
+* \param _dcfg Pointer to directory configuration
+* \param p1 Pointer to configuration option
+*
+* \retval NULL On failure
+* \retval apr_psprintf On Success
+*/
+static const char *cmd_xml_external_entity(cmd_parms *cmd, void *_dcfg, const char *p1)
+{
+    directory_config *dcfg = (directory_config *)_dcfg;
+    if (dcfg == NULL) return NULL;
+
+    if (strcasecmp(p1, "on") == 0)  {
+        dcfg->xml_external_entity = 1;
+    }
+    else if (strcasecmp(p1, "off") == 0)    {
+        dcfg->xml_external_entity = 0;
+    }
+    else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecXmlExternalEntity: %s", p1);
+
+    return NULL;
+}
+
 /* PCRE Limits */
 
 static const char *cmd_pcre_match_limit(cmd_parms *cmd,
@@ -2295,6 +2331,14 @@ const command_rec module_directives[] =
         "component signature to add to ModSecurity signature."
     ),
 
+    AP_INIT_TAKE1 (
+        "SecXmlExternalEntity",
+        cmd_xml_external_entity,
+        NULL,
+        CMD_SCOPE_ANY,
+        "On or Off"   
+    ),
+
     AP_INIT_FLAG (
         "SecContentInjection",
         cmd_content_injection,
--- modsecurity-apache-2.6.6.orig/apache2/modsecurity.h
+++ modsecurity-apache-2.6.6/apache2/modsecurity.h
@@ -522,6 +522,9 @@ struct directory_config {
 
     /* Collection timeout */
     int col_timeout;
+
+    /* xml */
+    int                 xml_external_entity;
 };
 
 struct error_message {