summaryrefslogtreecommitdiff
path: root/includes
diff options
context:
space:
mode:
authormsquare <msquare@notrademark.de>2017-12-13 16:59:28 +0100
committermsquare <msquare@notrademark.de>2017-12-13 16:59:28 +0100
commita8cf4b9ddf1b9ac68866db97372c14f6ceca1b12 (patch)
tree8660b8749d96aa65fd97b3c6dbf82b0c6e9beab4 /includes
parentcf7eb80a921f0f8a007587d192a9f57a239f64a8 (diff)
fix #382: XXE DoS in engelsystem
Diffstat (limited to 'includes')
-rw-r--r--includes/pages/admin_import.php5
1 files changed, 3 insertions, 2 deletions
diff --git a/includes/pages/admin_import.php b/includes/pages/admin_import.php
index 9883c0d5..4faca183 100644
--- a/includes/pages/admin_import.php
+++ b/includes/pages/admin_import.php
@@ -1,7 +1,5 @@
<?php
-use Engelsystem\Database\DB;
-
/**
* @return string
*/
@@ -82,6 +80,7 @@ function admin_import()
if (isset($_FILES['xcal_file']) && ($_FILES['xcal_file']['error'] == 0)) {
if (move_uploaded_file($_FILES['xcal_file']['tmp_name'], $import_file)) {
libxml_use_internal_errors(true);
+ libxml_disable_entity_loader(true);
if (simplexml_load_file($import_file) === false) {
$valid = false;
error(_('No valid xml/xcal file provided.'));
@@ -425,6 +424,8 @@ function read_xml($file)
{
global $xml_import;
if (!isset($xml_import)) {
+ libxml_use_internal_errors(true);
+ libxml_disable_entity_loader(true);
$xml_import = simplexml_load_file($file);
}
return $xml_import;