You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@shindig.apache.org by rb...@apache.org on 2013/09/25 23:37:11 UTC
svn commit: r1526307 - in /shindig/branches/2.5.0-updateX:
php/src/apache/shindig/bootstrap.php
php/test/gadgets/GadgetSpecParserTest.php php/test/gadgets/_assets/
php/test/gadgets/_assets/testfile pom.xml
Author: rbaxter85
Date: Wed Sep 25 21:37:11 2013
New Revision: 1526307
URL: http://svn.apache.org/r1526307
Log:
PHP enhancement
Added:
shindig/branches/2.5.0-updateX/php/test/gadgets/_assets/
shindig/branches/2.5.0-updateX/php/test/gadgets/_assets/testfile
Modified:
shindig/branches/2.5.0-updateX/php/src/apache/shindig/bootstrap.php
shindig/branches/2.5.0-updateX/php/test/gadgets/GadgetSpecParserTest.php
shindig/branches/2.5.0-updateX/pom.xml
Modified: shindig/branches/2.5.0-updateX/php/src/apache/shindig/bootstrap.php
URL: http://svn.apache.org/viewvc/shindig/branches/2.5.0-updateX/php/src/apache/shindig/bootstrap.php?rev=1526307&r1=1526306&r2=1526307&view=diff
==============================================================================
--- shindig/branches/2.5.0-updateX/php/src/apache/shindig/bootstrap.php (original)
+++ shindig/branches/2.5.0-updateX/php/src/apache/shindig/bootstrap.php Wed Sep 25 21:37:11 2013
@@ -26,6 +26,10 @@ use apache\shindig\common\Config;
// this prevents that from generating warnings
@date_default_timezone_set(@date_default_timezone_get());
+// generally disable loading of external entities in xml files to prevent
+// remote file inclusions, see http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html
+libxml_disable_entity_loader(true);
+
require_once __DIR__ . '/../../../external/Symfony/Component/ClassLoader/UniversalClassLoader.php';
$loader = new \Symfony\Component\ClassLoader\UniversalClassLoader();
Modified: shindig/branches/2.5.0-updateX/php/test/gadgets/GadgetSpecParserTest.php
URL: http://svn.apache.org/viewvc/shindig/branches/2.5.0-updateX/php/test/gadgets/GadgetSpecParserTest.php?rev=1526307&r1=1526306&r2=1526307&view=diff
==============================================================================
--- shindig/branches/2.5.0-updateX/php/test/gadgets/GadgetSpecParserTest.php (original)
+++ shindig/branches/2.5.0-updateX/php/test/gadgets/GadgetSpecParserTest.php Wed Sep 25 21:37:11 2013
@@ -33,7 +33,7 @@ class GadgetSpecParserTest extends \PHPU
private $GadgetSpecParser;
/**
- * @var Gadget
+ * @var string
*/
private $Gadget = '<?xml version="1.0" encoding="UTF-8" ?>
<Module specificationVersion="2.0.0">
@@ -87,5 +87,21 @@ class GadgetSpecParserTest extends \PHPU
$this->assertEquals('2.0.0', (string) $gadgetParsed->specificationVersion);
$this->assertEquals('html', $gadgetParsed->doctype);
}
+
+ public function testParseWithXMLExternalEntityInjection() {
+ $gadget = '<?xml version="1.0" encoding="UTF-8" ?>
+<!DOCTYPE Module [ <!ENTITY passwd SYSTEM "file://' . __DIR__ . '/_assets/testfile"> ]>
+<Module specificationVersion="2.0.0">
+ <ModulePrefs title="Test" doctype="html" />
+ <Content type="html" view="home">
+ &passwd;
+ </Content>
+</Module>';
+ $gadgetParsed = $this->GadgetSpecParser->parse($gadget, $this->Context);
+ $view = $gadgetParsed->views['home'];
+ $this->assertNotContains('injected content', trim($view['content']));
+ }
+
+
}
Added: shindig/branches/2.5.0-updateX/php/test/gadgets/_assets/testfile
URL: http://svn.apache.org/viewvc/shindig/branches/2.5.0-updateX/php/test/gadgets/_assets/testfile?rev=1526307&view=auto
==============================================================================
--- shindig/branches/2.5.0-updateX/php/test/gadgets/_assets/testfile (added)
+++ shindig/branches/2.5.0-updateX/php/test/gadgets/_assets/testfile Wed Sep 25 21:37:11 2013
@@ -0,0 +1 @@
+injected content
\ No newline at end of file
Modified: shindig/branches/2.5.0-updateX/pom.xml
URL: http://svn.apache.org/viewvc/shindig/branches/2.5.0-updateX/pom.xml?rev=1526307&r1=1526306&r2=1526307&view=diff
==============================================================================
--- shindig/branches/2.5.0-updateX/pom.xml (original)
+++ shindig/branches/2.5.0-updateX/pom.xml Wed Sep 25 21:37:11 2013
@@ -1324,6 +1324,7 @@
<exclude>**/.project</exclude>
<exclude>**/.settings/*</exclude>
<exclude>**/src/test/resources/**</exclude>
+ <exclude>**/php/test/gadgets/_assets/**</exclude>
</excludes>
</configuration>
</plugin>