fixed XML decoding attack vector through external entities

symfony · Aug 28, 2012 · 769e8e6 · 769e8e6
1 parent 4ff9294
commit 769e8e6
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/Loader/XmlFileLoader.php b/Loader/XmlFileLoader.php
@@ -151,16 +151,20 @@ protected function parseRoute(RouteCollection $collection, \DOMElement $definiti
     protected function loadFile($file)
     {
         $internalErrors = libxml_use_internal_errors(true);
+        $disableEntities = libxml_disable_entity_loader(true);
         libxml_clear_errors();
 
         $dom = new \DOMDocument();
         $dom->validateOnParse = true;
-        if (!$dom->load($file, LIBXML_NONET | (defined('LIBXML_COMPACT') ? LIBXML_COMPACT : 0))) {
+        if (!$dom->loadXML(file_get_contents($file), LIBXML_NONET | (defined('LIBXML_COMPACT') ? LIBXML_COMPACT : 0))) {
+            libxml_disable_entity_loader($disableEntities);
+
             throw new \InvalidArgumentException(implode("\n", $this->getXmlErrors($internalErrors)));
         }
         $dom->normalizeDocument();
 
         libxml_use_internal_errors($internalErrors);
+        libxml_disable_entity_loader($disableEntities);
 
         foreach ($dom->childNodes as $child) {
             if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) {