Disable loading external entities during XML parsing

author: Steve Clay <steve@mrclay.org> 2013-07-11 13:24:01 -0400
committer: Paweł Sroka <srokap@gmail.com> 2013-11-04 03:34:21 +0100
commit: d53447f7e6b3277f3249d9a70e56ec01a90c3a60 (patch)
tree: a61fa62cef82fef01254849bbbd70dbf149e854a /engine/tests/test_files/xxe
parent: 550ef1fe32fc8da940c42359f7a6347e65138c85 (diff)
download: elgg-d53447f7e6b3277f3249d9a70e56ec01a90c3a60.tar.gz
elgg-d53447f7e6b3277f3249d9a70e56ec01a90c3a60.tar.bz2
2 files changed, 9 insertions, 0 deletions
diff --git a/engine/tests/test_files/xxe/external_entity.txt b/engine/tests/test_files/xxe/external_entity.txt
new file mode 100644
index 000000000..536aca34d
--- /dev/null
+++ b/engine/tests/test_files/xxe/external_entity.txt
@@ -0,0 +1 @@
+secret
+\ No newline at end of file
diff --git a/engine/tests/test_files/xxe/request.xml b/engine/tests/test_files/xxe/request.xml
new file mode 100644
index 000000000..4390f9db2
--- /dev/null
+++ b/engine/tests/test_files/xxe/request.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0"?>
+<!DOCTYPE foo [
+<!ELEMENT methodName ANY >
+<!ENTITY xxe SYSTEM "%s" >
+]>
+<methodCall>
+    <methodName>test&xxe;test</methodName>
+</methodCall>
author	Steve Clay <steve@mrclay.org>	2013-07-11 13:24:01 -0400
committer	Paweł Sroka <srokap@gmail.com>	2013-11-04 03:34:21 +0100
commit	d53447f7e6b3277f3249d9a70e56ec01a90c3a60 (patch)
tree	a61fa62cef82fef01254849bbbd70dbf149e854a /engine/tests/test_files/xxe
parent	550ef1fe32fc8da940c42359f7a6347e65138c85 (diff)
download	elgg-d53447f7e6b3277f3249d9a70e56ec01a90c3a60.tar.gz elgg-d53447f7e6b3277f3249d9a70e56ec01a90c3a60.tar.bz2