1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
From: James Heinrich <info@silisoftware.com>
Date: Sun, 14 Sep 2014 14:13:30 -0400
Subject: improved XXE fix (CVE-2014-2053)
---
getid3/getid3.lib.php | 19 +++++++++----------
1 file changed, 9 insertions(+), 10 deletions(-)
diff --git a/getid3/getid3.lib.php b/getid3/getid3.lib.php
index 86f60d6..3f7b04d 100644
--- a/getid3/getid3.lib.php
+++ b/getid3/getid3.lib.php
@@ -521,16 +521,15 @@ class getid3_lib
}
static function XML2array($XMLstring) {
- if (function_exists('simplexml_load_string')) {
- if (function_exists('get_object_vars')) {
- if (function_exists('libxml_disable_entity_loader')) { // (PHP 5 >= 5.2.11)
- // http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html
- libxml_disable_entity_loader(true);
- }
- $XMLobject = simplexml_load_string($XMLstring);
- return self::SimpleXMLelement2array($XMLobject);
- }
- }
+ if (function_exists('simplexml_load_string') && function_exists('libxml_disable_entity_loader')) {
+ // http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html
+ // https://core.trac.wordpress.org/changeset/29378
+ $loader = libxml_disable_entity_loader(true);
+ $XMLobject = simplexml_load_string($XMLstring, 'SimpleXMLElement', LIBXML_NOENT);
+ $return = self::SimpleXMLelement2array($XMLobject);
+ libxml_disable_entity_loader($loader);
+ return $return;
+ }
return false;
}
|
