From: =?utf-8?q?David_Pr=C3=A9vot?= <taffit@debian.org>
Date: Mon, 22 Sep 2014 22:33:00 -0400
Subject: improved XXE fix (CVE-2014-2053)

Origin: upstream, https://github.com/JamesHeinrich/getID3/commit/a3f27573aa5532fc86ccabba792884731e707a2c
---
 getid3/getid3.lib.php | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/getid3/getid3.lib.php b/getid3/getid3.lib.php
index f5ab319..3b67402 100644
--- a/getid3/getid3.lib.php
+++ b/getid3/getid3.lib.php
@@ -519,16 +519,15 @@ class getid3_lib
 	}
 
 	public static function XML2array($XMLstring) {
-		if (function_exists('simplexml_load_string')) {
-			if (function_exists('get_object_vars')) {
-				if (function_exists('libxml_disable_entity_loader')) { // (PHP 5 >= 5.2.11)
-					// http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html
-					libxml_disable_entity_loader(true);
-				}
-				$XMLobject = simplexml_load_string($XMLstring);
-				return self::SimpleXMLelement2array($XMLobject);
-			}
-		}
+		if (function_exists('simplexml_load_string') && function_exists('libxml_disable_entity_loader')) {
+			// http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html
+			// https://core.trac.wordpress.org/changeset/29378
+			$loader = libxml_disable_entity_loader(true); 
+			$XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', LIBXML_NOENT); 
+			$return = self::SimpleXMLelement2array($XMLobject); 
+			libxml_disable_entity_loader($loader); 
+			return $return; 
+		} 
 		return false;
 	}