aboutsummaryrefslogtreecommitdiff
path: root/engine/tests/regression
diff options
context:
space:
mode:
authorSteve Clay <steve@mrclay.org>2013-07-11 13:24:01 -0400
committerPaweł Sroka <srokap@gmail.com>2013-11-04 03:34:21 +0100
commitd53447f7e6b3277f3249d9a70e56ec01a90c3a60 (patch)
treea61fa62cef82fef01254849bbbd70dbf149e854a /engine/tests/regression
parent550ef1fe32fc8da940c42359f7a6347e65138c85 (diff)
downloadelgg-d53447f7e6b3277f3249d9a70e56ec01a90c3a60.tar.gz
elgg-d53447f7e6b3277f3249d9a70e56ec01a90c3a60.tar.bz2
Disable loading external entities during XML parsing
Diffstat (limited to 'engine/tests/regression')
-rw-r--r--engine/tests/regression/trac_bugs.php10
1 files changed, 10 insertions, 0 deletions
diff --git a/engine/tests/regression/trac_bugs.php b/engine/tests/regression/trac_bugs.php
index ef1348cf6..e6773c8af 100644
--- a/engine/tests/regression/trac_bugs.php
+++ b/engine/tests/regression/trac_bugs.php
@@ -373,4 +373,14 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest {
//delete group and annotations
$group->delete();
}
+
+ public function test_ElggXMLElement_does_not_load_external_entities() {
+ $payload = file_get_contents(dirname(dirname(__FILE__)) . '/test_files/xxe/request.xml');
+ $payload = sprintf($payload, 'file://' . realpath(dirname(dirname(__FILE__)) . '/test_files/xxe/external_entity.txt'));
+
+ $el = new ElggXMLElement($payload);
+ $chidren = $el->getChildren();
+ $content = $chidren[0]->getContent();
+ $this->assertNoPattern('/secret/', $content);
+ }
}