преди 13 години · f9dbc50f50
--- a/Serializer/XmlDeserializationVisitor.php
+++ b/Serializer/XmlDeserializationVisitor.php
@@ -35,12 +35,14 @@ class XmlDeserializationVisitor extends AbstractDeserializationVisitor
 
				     private $currentMetadata;
			
 
				     private $result;
			
 
				     private $navigator;
			
 
				+    private $disableExternalEntities;
			
 
				 
			
 
				-    public function __construct(PropertyNamingStrategyInterface $namingStrategy, array $customHandlers, ObjectConstructorInterface $objectConstructor)
			
 
				+    public function __construct(PropertyNamingStrategyInterface $namingStrategy, array $customHandlers, ObjectConstructorInterface $objectConstructor, $disableExternalEntities = true)
			
 
				     {
			
 
				         parent::__construct($namingStrategy, $customHandlers);
			
 
				 
			
 
				         $this->objectConstructor = $objectConstructor;
			
 
				+        $this->disableExternalEntities = $disableExternalEntities;
			
 
				     }
			
 
				 
			
 
				     public function setNavigator(GraphNavigator $navigator)
			
@@ -59,8 +61,10 @@ class XmlDeserializationVisitor extends AbstractDeserializationVisitor
 
				     public function prepare($data)
			
 
				     {
			
 
				         $previous = libxml_use_internal_errors(true);
			
 
				+        $previousEntityLoaderState = libxml_disable_entity_loader($this->disableExternalEntities);
			
 
				         $doc = simplexml_load_string($data);
			
 
				         libxml_use_internal_errors($previous);
			
 
				+        libxml_disable_entity_loader($previousEntityLoaderState);
			
 
				 
			
 
				         if (false === $doc) {
			
 
				             throw new XmlErrorException(libxml_get_last_error());
			
--- a/Tests/Serializer/XmlSerializationTest.php
+++ b/Tests/Serializer/XmlSerializationTest.php
@@ -20,6 +20,8 @@ namespace JMS\SerializerBundle\Tests\Serializer;
 
				 
			
 
				 use JMS\SerializerBundle\Tests\Fixtures\InvalidUsageOfXmlValue;
			
 
				 use JMS\SerializerBundle\Exception\InvalidArgumentException;
			
 
				+use JMS\SerializerBundle\Annotation\Type;
			
 
				+use JMS\SerializerBundle\Annotation\XmlValue;
			
 
				 
			
 
				 class XmlSerializationTest extends BaseSerializationTest
			
 
				 {
			
@@ -32,6 +34,22 @@ class XmlSerializationTest extends BaseSerializationTest
 
				         $this->serialize($obj);
			
 
				     }
			
 
				 
			
 
				+    public function testExternalEntitiesAreDisabledByDefault()
			
 
				+    {
			
 
				+        $currentDir = getcwd();
			
 
				+        chdir(__DIR__);
			
 
				+        $entity = $this->deserialize('<?xml version="1.0"?>
			
 
				+            <!DOCTYPE author [
			
 
				+                <!ENTITY foo SYSTEM "php://filter/read=convert.base64-encode/resource='.basename(__FILE__).'">
			
 
				+            ]>
			
 
				+            <result>
			
 
				+                &foo;
			
 
				+            </result>', 'JMS\SerializerBundle\Tests\Serializer\ExternalEntityTest');
			
 
				+        chdir($currentDir);
			
 
				+
			
 
				+        $this->assertEquals('', trim($entity->foo));
			
 
				+    }
			
 
				+
			
 
				     protected function getContent($key)
			
 
				     {
			
 
				         if (!file_exists($file = __DIR__.'/xml/'.$key.'.xml')) {
			
@@ -45,4 +63,11 @@ class XmlSerializationTest extends BaseSerializationTest
 
				     {
			
 
				         return 'xml';
			
 
				     }
			
 
				-}
			
 
				+}
			
 
				+
			
 
				+class ExternalEntityTest
			
 
				+{
			
 
				+    /** @Type("string") @XmlValue */
			
 
				+    public $foo;
			
 
				+}
			
 
				+