[fusion-commits] r2854 - in branches/fusion-2.2: . common/php
svn_fusion at osgeo.org
svn_fusion at osgeo.org
Tue Jun 24 20:59:22 PDT 2014
Author: jng
Date: 2014-06-24 20:59:22 -0700 (Tue, 24 Jun 2014)
New Revision: 2854
Modified:
branches/fusion-2.2/
branches/fusion-2.2/common/php/Xml2JSON.php
Log:
Merged revision(s) 2850 from trunk:
#617: XXE security fix
........
Property changes on: branches/fusion-2.2
___________________________________________________________________
Modified: svn:mergeinfo
- /trunk:2192-2233
+ /trunk:2192-2233,2850
Modified: branches/fusion-2.2/common/php/Xml2JSON.php
===================================================================
--- branches/fusion-2.2/common/php/Xml2JSON.php 2014-06-25 03:57:54 UTC (rev 2853)
+++ branches/fusion-2.2/common/php/Xml2JSON.php 2014-06-25 03:59:22 UTC (rev 2854)
@@ -28,6 +28,10 @@
*/
include(dirname(__FILE__).'/Utilities.php');
+//Requests to this script can be made from anywhere, so disable XML entity loading to
+//guard against malicious XML
+libxml_disable_entity_loader(true);
+
if (isset($_FILES['xml'])) {
$xml = file_get_contents($_FILES['xml']['tmp_name']);
} elseif (isset($_SERVER['HTTP_HOST'])) {
More information about the fusion-commits
mailing list