Disable Entity Loader before reading XML

recurly · Feb 19, 2019 · a7e0833 · a7e0833
1 parent 9f98417
commit a7e0833
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 0 deletions.
diff --git a/lib/recurly/base.php b/lib/recurly/base.php
@@ -282,6 +282,10 @@ public function getLinks() {
   // Use a valid Recurly_Response to populate a new object.
   protected static function __parseResponseToNewObject($response, $uri, $client) {
     $dom = new DOMDocument();
+
+    // Attempt to prevent XXE that could be exploited through loadXML()
+    libxml_disable_entity_loader(true);
+
     if (empty($response->body) || !$dom->loadXML($response->body, LIBXML_NOBLANKS)) {
       return null;
     }
@@ -305,6 +309,10 @@ protected function _afterParseResponse($response, $uri) { }
   protected function __parseXmlToUpdateObject($xml)
   {
     $dom = new DOMDocument();
+
+    // Attempt to prevent XXE that could be exploited through loadXML()
+    libxml_disable_entity_loader(true);
+
     if (empty($xml) || !$dom->loadXML($xml, LIBXML_NOBLANKS)) return null;
 
     $rootNode = $dom->documentElement;

diff --git a/lib/recurly/push_notification.php b/lib/recurly/push_notification.php
@@ -98,6 +98,10 @@ function __construct($post_xml)
 
   function parseXml($post_xml)
   {
+
+    // Attempt to prevent XXE that could be exploited through simplexml_load_string()
+    libxml_disable_entity_loader(true);
+
     if (!@simplexml_load_string ($post_xml)) {
       return;
     }

diff --git a/lib/recurly/response.php b/lib/recurly/response.php
@@ -102,6 +102,10 @@ public function assertValidResponse()
 
   private function parseErrorXml($xml) {
     $dom = new DOMDocument();
+
+    // Attempt to prevent XXE that could be exploited through loadXML()
+    libxml_disable_entity_loader(true);
+
     if (empty($xml) || !$dom->loadXML($xml)) return null;
 
     $rootNode = $dom->documentElement;