diff options
author | msquare <msquare@notrademark.de> | 2017-12-13 16:59:28 +0100 |
---|---|---|
committer | msquare <msquare@notrademark.de> | 2017-12-13 16:59:28 +0100 |
commit | a8cf4b9ddf1b9ac68866db97372c14f6ceca1b12 (patch) | |
tree | 8660b8749d96aa65fd97b3c6dbf82b0c6e9beab4 /includes | |
parent | cf7eb80a921f0f8a007587d192a9f57a239f64a8 (diff) |
fix #382: XXE DoS in engelsystem
Diffstat (limited to 'includes')
-rw-r--r-- | includes/pages/admin_import.php | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/includes/pages/admin_import.php b/includes/pages/admin_import.php index 9883c0d5..4faca183 100644 --- a/includes/pages/admin_import.php +++ b/includes/pages/admin_import.php @@ -1,7 +1,5 @@ <?php -use Engelsystem\Database\DB; - /** * @return string */ @@ -82,6 +80,7 @@ function admin_import() if (isset($_FILES['xcal_file']) && ($_FILES['xcal_file']['error'] == 0)) { if (move_uploaded_file($_FILES['xcal_file']['tmp_name'], $import_file)) { libxml_use_internal_errors(true); + libxml_disable_entity_loader(true); if (simplexml_load_file($import_file) === false) { $valid = false; error(_('No valid xml/xcal file provided.')); @@ -425,6 +424,8 @@ function read_xml($file) { global $xml_import; if (!isset($xml_import)) { + libxml_use_internal_errors(true); + libxml_disable_entity_loader(true); $xml_import = simplexml_load_file($file); } return $xml_import; |