[fusion-commits] r2851 - in branches/fusion-mg26: . common/php
svn_fusion at osgeo.org
svn_fusion at osgeo.org
Tue Jun 24 20:55:07 PDT 2014
Author: jng
Date: 2014-06-24 20:55:07 -0700 (Tue, 24 Jun 2014)
New Revision: 2851
Modified:
branches/fusion-mg26/
branches/fusion-mg26/common/php/Xml2JSON.php
Log:
Merged revision(s) 2850 from trunk:
#617: XXE security fix
........
Property changes on: branches/fusion-mg26
___________________________________________________________________
Modified: svn:mergeinfo
- /branches/fusion-mg24:2560
/sandbox/createruntimemap:2699-2708
/sandbox/jxlib-3.0:1957-2248
/sandbox/ol213:2801-2803
/sandbox/robust_error_handling:2818-2825
/trunk:2847
+ /branches/fusion-mg24:2560
/sandbox/createruntimemap:2699-2708
/sandbox/jxlib-3.0:1957-2248
/sandbox/ol213:2801-2803
/sandbox/robust_error_handling:2818-2825
/trunk:2847,2850
Modified: branches/fusion-mg26/common/php/Xml2JSON.php
===================================================================
--- branches/fusion-mg26/common/php/Xml2JSON.php 2014-06-25 03:53:59 UTC (rev 2850)
+++ branches/fusion-mg26/common/php/Xml2JSON.php 2014-06-25 03:55:07 UTC (rev 2851)
@@ -28,6 +28,10 @@
*/
include(dirname(__FILE__).'/Utilities.php');
+//Requests to this script can be made from anywhere, so disable XML entity loading to
+//guard against malicious XML
+libxml_disable_entity_loader(true);
+
if (isset($_FILES['xml'])) {
$xml = file_get_contents($_FILES['xml']['tmp_name']);
} elseif (isset($_SERVER['HTTP_HOST'])) {
More information about the fusion-commits
mailing list