File: 0001-close-potential-XXE-security-issue-CVE-2014-2053.patch

package info (click to toggle)

php-getid3 1.9.3-1%2Bdeb7u2

links: PTS
area: main
in suites: wheezy
size: 2,500 kB
sloc: php: 28,743; makefile: 8

file content (26 lines) | stat: -rw-r--r-- 1,005 bytes

From: James Heinrich <info@silisoftware.com>
Date: Wed, 12 Mar 2014 08:25:28 -0500
Subject: close potential XXE security issue (CVE-2014-2053)

http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html

Origin: upstream, https://github.com/JamesHeinrich/getID3/commit/dc8549079a24bb0619b6124ef2df767704f8d0bc
---
 getid3/getid3.lib.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/getid3/getid3.lib.php b/getid3/getid3.lib.php
index 723e2e2..86f60d6 100644
--- a/getid3/getid3.lib.php
+++ b/getid3/getid3.lib.php
@@ -523,6 +523,10 @@ class getid3_lib
 	static function XML2array($XMLstring) {
 		if (function_exists('simplexml_load_string')) {
 			if (function_exists('get_object_vars')) {
+				if (function_exists('libxml_disable_entity_loader')) { // (PHP 5 >= 5.2.11)
+					// http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html
+					libxml_disable_entity_loader(true);
+				}
 				$XMLobject = simplexml_load_string($XMLstring);
 				return self::SimpleXMLelement2array($XMLobject);
 			}