Merge pull request #423 from joomlashack/fix-libxml-disable-loader

Restore libxml state when changed
recurly · Sep 13, 2019 · 4c594f7 · 4c594f7
2 parents fd336e9 + 915b449
commit 4c594f7
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 8 deletions.
diff --git a/lib/recurly/base.php b/lib/recurly/base.php
@@ -286,8 +286,7 @@ public function getLinks() {
   protected static function __parseResponseToNewObject($response, $uri, $client) {
     $dom = new DOMDocument();
 
-    // Attempt to prevent XXE that could be exploited through loadXML()
-    libxml_disable_entity_loader(true);
+    Recurly_Client::disableXmlEntityLoading();
 
     if (empty($response->body) || !$dom->loadXML($response->body, LIBXML_NOBLANKS)) {
       return null;
@@ -312,8 +311,7 @@ protected function __parseXmlToUpdateObject($xml)
   {
     $dom = new DOMDocument();
 
-    // Attempt to prevent XXE that could be exploited through loadXML()
-    libxml_disable_entity_loader(true);
+    Recurly_Client::disableXmlEntityLoading();
 
     if (empty($xml) || !$dom->loadXML($xml, LIBXML_NOBLANKS)) return null;
 

diff --git a/lib/recurly/client.php b/lib/recurly/client.php
@@ -114,6 +114,22 @@ public static function apiUrl() {
     return Recurly_Client::$apiUrl;
   }
 
+  /**
+   * Attempt to prevent XXE that could be exploited through loadXML()
+   * unless requested not to
+   */
+  public static function disableXmlEntityLoading()
+  {
+    $disable = getenv('RECURLY_DISABLE_ENTITY_LOADING');
+    if ($disable === false) {
+        $disable = true;
+    } else {
+        $disable = (bool)$disable;
+    }
+
+    libxml_disable_entity_loader($disable);
+  }
+
   /**
    * Current API key
    * @return string API key

diff --git a/lib/recurly/push_notification.php b/lib/recurly/push_notification.php
@@ -99,8 +99,7 @@ function __construct($post_xml)
   function parseXml($post_xml)
   {
 
-    // Attempt to prevent XXE that could be exploited through simplexml_load_string()
-    libxml_disable_entity_loader(true);
+    Recurly_Client::disableXmlEntityLoading();
 
     if (!@simplexml_load_string ($post_xml)) {
       return;

diff --git a/lib/recurly/response.php b/lib/recurly/response.php
@@ -103,8 +103,7 @@ public function assertValidResponse()
   private function parseErrorXml($xml) {
     $dom = new DOMDocument();
 
-    // Attempt to prevent XXE that could be exploited through loadXML()
-    libxml_disable_entity_loader(true);
+    Recurly_Client::disableXmlEntityLoading();
 
     if (empty($xml) || !$dom->loadXML($xml)) return null;