Disable external entities in ID3.

nacin · nacin · commit 5894507b9522 · 2014-08-05T19:13:57.000Z
git-svn-id: https://develop.svn.wordpress.org/trunk@29378 602fd350-edb4-49c9-b593-d223f7449a82
diff --git a/src/wp-includes/ID3/getid3.lib.php b/src/wp-includes/ID3/getid3.lib.php
@@ -519,11 +519,12 @@ public static function array_min($arraydata, $returnkey=false) {
 	}
 
 	public static function XML2array($XMLstring) {
-		if (function_exists('simplexml_load_string')) {
-			if (function_exists('get_object_vars')) {
-				$XMLobject = simplexml_load_string($XMLstring);
-				return self::SimpleXMLelement2array($XMLobject);
-			}
+		if ( function_exists( 'simplexml_load_string' ) && function_exists( 'libxml_disable_entity_loader' ) ) {
+			$loader = libxml_disable_entity_loader( true );
+			$XMLobject = simplexml_load_string( $XMLstring, 'SimpleXMLElement', LIBXML_NOENT );
+			$return = self::SimpleXMLelement2array( $XMLobject );
+			libxml_disable_entity_loader( $loader );
+			return $return;
 		}
 		return false;
 	}

Original file line number	Diff line number	Diff line change
`@@ -519,11 +519,12 @@ public static function array_min($arraydata, $returnkey=false) {`
`519`	`519`	`}`
`520`	`520`
`521`	`521`	`public static function XML2array($XMLstring) {`
`522`		`- if (function_exists('simplexml_load_string')) {`
`523`		`- if (function_exists('get_object_vars')) {`
`524`		`- $XMLobject = simplexml_load_string($XMLstring);`
`525`		`- return self::SimpleXMLelement2array($XMLobject);`
`526`		`- }`
	`522`	`+ if ( function_exists( 'simplexml_load_string' ) && function_exists( 'libxml_disable_entity_loader' ) ) {`
	`523`	`+ $loader = libxml_disable_entity_loader( true );`
	`524`	`+ $XMLobject = simplexml_load_string( $XMLstring, 'SimpleXMLElement', LIBXML_NOENT );`
	`525`	`+ $return = self::SimpleXMLelement2array( $XMLobject );`
	`526`	`+ libxml_disable_entity_loader( $loader );`
	`527`	`+ return $return;`
`527`	`528`	`}`
`528`	`529`	`return false;`
`529`	`530`	`}`