From d53447f7e6b3277f3249d9a70e56ec01a90c3a60 Mon Sep 17 00:00:00 2001
From: Steve Clay <steve@mrclay.org>
Date: Thu, 11 Jul 2013 13:24:01 -0400
Subject: Disable loading external entities during XML parsing

---
 engine/tests/regression/trac_bugs.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'engine/tests/regression/trac_bugs.php')

diff --git a/engine/tests/regression/trac_bugs.php b/engine/tests/regression/trac_bugs.php
index ef1348cf6..e6773c8af 100644
--- a/engine/tests/regression/trac_bugs.php
+++ b/engine/tests/regression/trac_bugs.php
@@ -373,4 +373,14 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest {
 		//delete group and annotations
 		$group->delete();
 	}
+
+	public function test_ElggXMLElement_does_not_load_external_entities() {
+		$payload = file_get_contents(dirname(dirname(__FILE__)) . '/test_files/xxe/request.xml');
+		$payload = sprintf($payload, 'file://' . realpath(dirname(dirname(__FILE__)) . '/test_files/xxe/external_entity.txt'));
+
+		$el = new ElggXMLElement($payload);
+		$chidren = $el->getChildren();
+		$content = $chidren[0]->getContent();
+		$this->assertNoPattern('/secret/', $content);
+	}
 }
-- 
cgit v1.2.3


From 6eec301f33ff3e618d591d429de7edf30277e972 Mon Sep 17 00:00:00 2001
From: Paweł Sroka <srokap@gmail.com>
Date: Tue, 23 Jul 2013 08:28:30 +0200
Subject: Enhanced test

---
 engine/tests/regression/trac_bugs.php | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

(limited to 'engine/tests/regression/trac_bugs.php')

diff --git a/engine/tests/regression/trac_bugs.php b/engine/tests/regression/trac_bugs.php
index e6773c8af..ea39253df 100644
--- a/engine/tests/regression/trac_bugs.php
+++ b/engine/tests/regression/trac_bugs.php
@@ -375,12 +375,26 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest {
 	}
 
 	public function test_ElggXMLElement_does_not_load_external_entities() {
+		$elLast = libxml_disable_entity_loader(false);
+
 		$payload = file_get_contents(dirname(dirname(__FILE__)) . '/test_files/xxe/request.xml');
-		$payload = sprintf($payload, 'file://' . realpath(dirname(dirname(__FILE__)) . '/test_files/xxe/external_entity.txt'));
+		$path = realpath(dirname(dirname(__FILE__)) . '/test_files/xxe/external_entity.txt');
+		$path = str_replace('\\', '/', $path);
+		if ($path[0] != '/') {
+			$path = '/' . $path;
+		}
+		$path = 'file://' . $path;
+		$payload = sprintf($payload, $path);
 
 		$el = new ElggXMLElement($payload);
 		$chidren = $el->getChildren();
 		$content = $chidren[0]->getContent();
 		$this->assertNoPattern('/secret/', $content);
+
+		//make sure the test is valid
+		$element = new SimpleXMLElement($payload);
+		$this->assertPattern('/secret/', (string)$element->methodName);
+
+		libxml_disable_entity_loader($elLast);
 	}
 }
-- 
cgit v1.2.3


From 7cacdc8bc26c98a58dc8986acfd911d6542608af Mon Sep 17 00:00:00 2001
From: Steve Clay <steve@mrclay.org>
Date: Wed, 31 Jul 2013 13:34:55 -0400
Subject: Emit notice if XXE can't be tested and skip test

---
 engine/tests/regression/trac_bugs.php | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

(limited to 'engine/tests/regression/trac_bugs.php')

diff --git a/engine/tests/regression/trac_bugs.php b/engine/tests/regression/trac_bugs.php
index ea39253df..689275661 100644
--- a/engine/tests/regression/trac_bugs.php
+++ b/engine/tests/regression/trac_bugs.php
@@ -377,6 +377,7 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest {
 	public function test_ElggXMLElement_does_not_load_external_entities() {
 		$elLast = libxml_disable_entity_loader(false);
 
+		// build payload that should trigger loading of external entity
 		$payload = file_get_contents(dirname(dirname(__FILE__)) . '/test_files/xxe/request.xml');
 		$path = realpath(dirname(dirname(__FILE__)) . '/test_files/xxe/external_entity.txt');
 		$path = str_replace('\\', '/', $path);
@@ -384,16 +385,20 @@ class ElggCoreRegressionBugsTest extends ElggCoreUnitTest {
 			$path = '/' . $path;
 		}
 		$path = 'file://' . $path;
-		$payload = sprintf($payload, $path);
+		$payload = sprintf($payload, $path);
 
-		$el = new ElggXMLElement($payload);
-		$chidren = $el->getChildren();
-		$content = $chidren[0]->getContent();
-		$this->assertNoPattern('/secret/', $content);
-
-		//make sure the test is valid
+		// make sure we can actually this in this environment
 		$element = new SimpleXMLElement($payload);
-		$this->assertPattern('/secret/', (string)$element->methodName);
+		$can_load_entity = preg_match('/secret/', (string)$element->methodName);
+
+		$this->skipUnless($can_load_entity, "XXE vulnerability cannot be tested on this system");
+
+		if ($can_load_entity) {
+			$el = new ElggXMLElement($payload);
+			$chidren = $el->getChildren();
+			$content = $chidren[0]->getContent();
+			$this->assertNoPattern('/secret/', $content);
+		}
 
 		libxml_disable_entity_loader($elLast);
 	}
-- 
cgit v1.2.3