Etusivu Tutki Apua
Rekisteröidy Kirjaudu sisään
VendorSoftware
/
JMSSerializerBundle
2
0
Fork 0
Tiedostot Ongelmat 0 Pull-pyynnöt 0 Wiki
Selaa lähdekoodia

disallow XML document types

Johannes M. Schmitt 12 vuotta sitten
vanhempi
1f308a5877
commit
5a9b7e6b62
2 muutettua tiedostoa jossa 24 lisäystä ja 14 poistoa
Yhdistetty näkymä Näytä diff tilastot
  1. 9 0
      Serializer/XmlDeserializationVisitor.php
  2. 15 14
      Tests/Serializer/XmlSerializationTest.php

+ 9 - 0
Serializer/XmlDeserializationVisitor.php
Näytä tiedosto 

@@ -62,6 +62,15 @@ class XmlDeserializationVisitor extends AbstractDeserializationVisitor
 
     {
 
     {
 
         $previous = libxml_use_internal_errors(true);
 
         $previous = libxml_use_internal_errors(true);
 
         $previousEntityLoaderState = libxml_disable_entity_loader($this->disableExternalEntities);
 
         $previousEntityLoaderState = libxml_disable_entity_loader($this->disableExternalEntities);
 
+
 
+        $dom = new \DOMDocument();
 
+        $dom->loadXML($data);
 
+        foreach ($dom->childNodes as $child) {
 
+            if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) {
 
+                throw new \InvalidArgumentException('Document types are not allowed.');
 
+            }
 
+        }
 
+
 
         $doc = simplexml_load_string($data);
 
         $doc = simplexml_load_string($data);
 
         libxml_use_internal_errors($previous);
 
         libxml_use_internal_errors($previous);
 
         libxml_disable_entity_loader($previousEntityLoaderState);
 
         libxml_disable_entity_loader($previousEntityLoaderState);

+ 15 - 14
Tests/Serializer/XmlSerializationTest.php
Näytä tiedosto 

@@ -63,20 +63,28 @@ class XmlSerializationTest extends BaseSerializationTest
 
         $this->assertEquals($this->getContent('person_collection'), $this->serialize($personCollection));
 
         $this->assertEquals($this->getContent('person_collection'), $this->serialize($personCollection));
 
     }
 
     }
 
 
 
+    /**
 
+     * @expectedException \InvalidArgumentException
 
+     * @expectedExceptionMessage Document types are not allowed
 
+     */
 
     public function testExternalEntitiesAreDisabledByDefault()
 
     public function testExternalEntitiesAreDisabledByDefault()
 
     {
 
     {
 
-        $currentDir = getcwd();
 
-        chdir(__DIR__);
 
-        $entity = $this->deserialize('<?xml version="1.0"?>
 
+        $this->deserialize('<?xml version="1.0"?>
 
             <!DOCTYPE author [
 
             <!DOCTYPE author [
 
                 <!ENTITY foo SYSTEM "php://filter/read=convert.base64-encode/resource='.basename(__FILE__).'">
 
                 <!ENTITY foo SYSTEM "php://filter/read=convert.base64-encode/resource='.basename(__FILE__).'">
 
             ]>
 
             ]>
 
             <result>
 
             <result>
 
                 &foo;
 
                 &foo;
 
-            </result>', 'JMS\SerializerBundle\Tests\Serializer\ExternalEntityTest');
 
-        chdir($currentDir);
 
+            </result>', 'stdClass');
 
+    }
 
 
 
-        $this->assertEquals('', trim($entity->foo));
 
+    /**
 
+     * @expectedException \InvalidArgumentException
 
+     * @expectedExceptionMessage Document types are not allowed
 
+     */
 
+    public function testDocumentTypesAreNotAllowed()
 
+    {
 
+        $this->deserialize('<?xml version="1.0"?><!DOCTYPE foo><foo></foo>', 'stdClass');
 
     }
 
     }
 
 
 
     public function testVirtualAttributes() {
 
     public function testVirtualAttributes() {
 
@@ -122,11 +130,4 @@ class XmlSerializationTest extends BaseSerializationTest
 
     {
 
     {
 
         return 'xml';
 
         return 'xml';
 
     }
 
     }
 
-}
 
-
 
-class ExternalEntityTest
 
-{
 
-    /** @Type("string") @XmlValue */
 
-    public $foo;
 
-}
 
-
 
+}