Merge pull request #97 from mdeweerd/fix/xml-security

matks · web-flow · commit 5e20d6d8c69c · 2024-06-22T21:57:35.000+02:00
Improve security for lib_xml
diff --git a/PSWebServiceLibrary.php b/PSWebServiceLibrary.php
@@ -274,7 +274,13 @@ protected function parseXML($response)
         if ($response != '') {
             libxml_clear_errors();
             libxml_use_internal_errors(true);
-            $xml = simplexml_load_string(trim($response), 'SimpleXMLElement', LIBXML_NOCDATA);
+            if (LIBXML_VERSION < 20900) {
+                // Avoid load of external entities (security problem).
+                // Required only if LIBXML_VERSION < 20900
+                libxml_disable_entity_loader(true);
+            }
+
+            $xml = simplexml_load_string(trim($response), 'SimpleXMLElement', LIBXML_NOCDATA|LIBXML_NONET);
             if (libxml_get_errors()) {
                 $msg = var_export(libxml_get_errors(), true);
                 libxml_clear_errors();
