diff options
author | Paweł Sroka <srokap@gmail.com> | 2014-01-01 13:12:24 +0100 |
---|---|---|
committer | Paweł Sroka <srokap@gmail.com> | 2014-01-01 13:12:24 +0100 |
commit | 53509917fd2119e17209179aae6d54b64dd2d244 (patch) | |
tree | aac2e883578b78796686728ae3beed5b2a35a9a4 /engine/tests/regression/trac_bugs.php | |
parent | 7006294fcbfab450289403b6519edb9d5d30ff35 (diff) | |
parent | 7cacdc8bc26c98a58dc8986acfd911d6542608af (diff) | |
download | elgg-53509917fd2119e17209179aae6d54b64dd2d244.tar.gz elgg-53509917fd2119e17209179aae6d54b64dd2d244.tar.bz2 |
Merged in libxml18 (pull request #8)
Disable loading external entities during XML parsing
Diffstat (limited to 'engine/tests/regression/trac_bugs.php')
-rw-r--r-- | engine/tests/regression/trac_bugs.php | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/engine/tests/regression/trac_bugs.php b/engine/tests/regression/trac_bugs.php index ef1348cf6..689275661 100644 --- a/engine/tests/regression/trac_bugs.php +++ b/engine/tests/regression/trac_bugs.php @@ -373,4 +373,33 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest { //delete group and annotations $group->delete(); } + + public function test_ElggXMLElement_does_not_load_external_entities() { + $elLast = libxml_disable_entity_loader(false); + + // build payload that should trigger loading of external entity + $payload = file_get_contents(dirname(dirname(__FILE__)) . '/test_files/xxe/request.xml'); + $path = realpath(dirname(dirname(__FILE__)) . '/test_files/xxe/external_entity.txt'); + $path = str_replace('\\', '/', $path); + if ($path[0] != '/') { + $path = '/' . $path; + } + $path = 'file://' . $path; + $payload = sprintf($payload, $path); + + // make sure we can actually this in this environment + $element = new SimpleXMLElement($payload); + $can_load_entity = preg_match('/secret/', (string)$element->methodName); + + $this->skipUnless($can_load_entity, "XXE vulnerability cannot be tested on this system"); + + if ($can_load_entity) { + $el = new ElggXMLElement($payload); + $chidren = $el->getChildren(); + $content = $chidren[0]->getContent(); + $this->assertNoPattern('/secret/', $content); + } + + libxml_disable_entity_loader($elLast); + } } |