prevents injection of malicious doc types

symfony · Aug 28, 2012 · 4ff9294 · 4ff9294
1 parent 26d68e4
commit 4ff9294
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/Loader/XmlFileLoader.php b/Loader/XmlFileLoader.php
@@ -162,6 +162,12 @@ protected function loadFile($file)
 
         libxml_use_internal_errors($internalErrors);
 
+        foreach ($dom->childNodes as $child) {
+            if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) {
+                throw new \InvalidArgumentException('Document types are not allowed.');
+            }
+        }
+
         $this->validate($dom);
 
         return $dom;