fix #382: XXE DoS in engelsystem

author: msquare <msquare@notrademark.de> 2017-12-13 16:59:28 +0100
committer: msquare <msquare@notrademark.de> 2017-12-13 16:59:28 +0100
commit: a8cf4b9ddf1b9ac68866db97372c14f6ceca1b12 (patch)
tree: 8660b8749d96aa65fd97b3c6dbf82b0c6e9beab4 /includes/pages
parent: cf7eb80a921f0f8a007587d192a9f57a239f64a8 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/includes/pages/admin_import.php b/includes/pages/admin_import.php
index 9883c0d5..4faca183 100644
--- a/includes/pages/admin_import.php
+++ b/includes/pages/admin_import.php
@@ -1,7 +1,5 @@
 <?php
 
-use Engelsystem\Database\DB;
-
 /**
  * @return string
  */
@@ -82,6 +80,7 @@ function admin_import()
                 if (isset($_FILES['xcal_file']) && ($_FILES['xcal_file']['error'] == 0)) {
                     if (move_uploaded_file($_FILES['xcal_file']['tmp_name'], $import_file)) {
                         libxml_use_internal_errors(true);
+                        libxml_disable_entity_loader(true);
                         if (simplexml_load_file($import_file) === false) {
                             $valid = false;
                             error(_('No valid xml/xcal file provided.'));
@@ -425,6 +424,8 @@ function read_xml($file)
 {
     global $xml_import;
     if (!isset($xml_import)) {
+        libxml_use_internal_errors(true);
+        libxml_disable_entity_loader(true);
         $xml_import = simplexml_load_file($file);
     }
     return $xml_import;
author	msquare <msquare@notrademark.de>	2017-12-13 16:59:28 +0100
committer	msquare <msquare@notrademark.de>	2017-12-13 16:59:28 +0100
commit	a8cf4b9ddf1b9ac68866db97372c14f6ceca1b12 (patch)
tree	8660b8749d96aa65fd97b3c6dbf82b0c6e9beab4 /includes/pages
parent	cf7eb80a921f0f8a007587d192a9f57a239f64a8 (diff)