Disable loading external entities during XML parsing

author: Steve Clay <steve@mrclay.org> 2013-07-11 13:24:01 -0400
committer: Paweł Sroka <srokap@gmail.com> 2013-11-04 03:34:21 +0100
commit: d53447f7e6b3277f3249d9a70e56ec01a90c3a60 (patch)
tree: a61fa62cef82fef01254849bbbd70dbf149e854a /engine/tests/regression
parent: 550ef1fe32fc8da940c42359f7a6347e65138c85 (diff)
download: elgg-d53447f7e6b3277f3249d9a70e56ec01a90c3a60.tar.gz
elgg-d53447f7e6b3277f3249d9a70e56ec01a90c3a60.tar.bz2
1 files changed, 10 insertions, 0 deletions
diff --git a/engine/tests/regression/trac_bugs.php b/engine/tests/regression/trac_bugs.php
index ef1348cf6..e6773c8af 100644
--- a/engine/tests/regression/trac_bugs.php
+++ b/engine/tests/regression/trac_bugs.php
@@ -373,4 +373,14 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest {
 		//delete group and annotations
 		$group->delete();
 	}
+
+	public function test_ElggXMLElement_does_not_load_external_entities() {
+		$payload = file_get_contents(dirname(dirname(__FILE__)) . '/test_files/xxe/request.xml');
+		$payload = sprintf($payload, 'file://' . realpath(dirname(dirname(__FILE__)) . '/test_files/xxe/external_entity.txt'));
+
+		$el = new ElggXMLElement($payload);
+		$chidren = $el->getChildren();
+		$content = $chidren[0]->getContent();
+		$this->assertNoPattern('/secret/', $content);
+	}
 }
author	Steve Clay <steve@mrclay.org>	2013-07-11 13:24:01 -0400
committer	Paweł Sroka <srokap@gmail.com>	2013-11-04 03:34:21 +0100
commit	d53447f7e6b3277f3249d9a70e56ec01a90c3a60 (patch)
tree	a61fa62cef82fef01254849bbbd70dbf149e854a /engine/tests/regression
parent	550ef1fe32fc8da940c42359f7a6347e65138c85 (diff)
download	elgg-d53447f7e6b3277f3249d9a70e56ec01a90c3a60.tar.gz elgg-d53447f7e6b3277f3249d9a70e56ec01a90c3a60.tar.bz2