From 995d8d22c696eba27e8d1542ea4070a85afef1ea Mon Sep 17 00:00:00 2001
From: mark_story <mark@mark-story.com>
Date: Wed, 27 May 2015 09:45:53 -0400
Subject: [PATCH] Disable reading XML files and URLs when handling user data.

Allowing users to load arbitrary files/URLs with Xml is not desirable
when handing user input.
---
 .../Component/RequestHandlerComponent.php     |  2 +-
 lib/Cake/Test/Case/Utility/XmlTest.php        | 22 +++++++++++++++++++
 lib/Cake/Utility/Xml.php                      |  8 +++++--
 3 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/lib/Cake/Controller/Component/RequestHandlerComponent.php b/lib/Cake/Controller/Component/RequestHandlerComponent.php
index 9d5581487..75bf26486 100644
--- a/lib/Cake/Controller/Component/RequestHandlerComponent.php
+++ b/lib/Cake/Controller/Component/RequestHandlerComponent.php
@@ -229,7 +229,7 @@ class RequestHandlerComponent extends Component {
  */
 	public function convertXml($xml) {
 		try {
-			$xml = Xml::build($xml);
+			$xml = Xml::build($xml, ['readFile' => false]);
 			if (isset($xml->data)) {
 				return Xml::toArray($xml->data);
 			}
diff --git a/lib/Cake/Test/Case/Utility/XmlTest.php b/lib/Cake/Test/Case/Utility/XmlTest.php
index 273801892..d97014445 100644
--- a/lib/Cake/Test/Case/Utility/XmlTest.php
+++ b/lib/Cake/Test/Case/Utility/XmlTest.php
@@ -167,6 +167,28 @@ class XmlTest extends CakeTestCase {
 		$this->assertNotRegExp('/encoding/', $obj->saveXML());
 	}
 
+/**
+ * Test that the readFile option disables local file parsing.
+ *
+ * @expectedException XmlException
+ * @return void
+ */
+	public function testBuildFromFileWhenDisabled() {
+		$xml = CAKE . 'Test' . DS . 'Fixture' . DS . 'sample.xml';
+		$obj = Xml::build($xml, ['readFile' => false]);
+	}
+
+/**
+ * Test that the readFile option disables local file parsing.
+ *
+ * @expectedException XmlException
+ * @return void
+ */
+	public function testBuildFromUrlWhenDisabled() {
+		$xml = 'http://www.google.com';
+		$obj = Xml::build($xml, ['readFile' => false]);
+	}
+
 /**
  * data provider function for testBuildInvalidData
  *
diff --git a/lib/Cake/Utility/Xml.php b/lib/Cake/Utility/Xml.php
index 0cd5e891b..74d88494d 100644
--- a/lib/Cake/Utility/Xml.php
+++ b/lib/Cake/Utility/Xml.php
@@ -77,6 +77,9 @@ class Xml {
  * - `return` Can be 'simplexml' to return object of SimpleXMLElement or 'domdocument' to return DOMDocument.
  * - `loadEntities` Defaults to false. Set to true to enable loading of `<!ENTITY` definitions. This
  *   is disabled by default for security reasons.
+ * - `readFile` Set to false to disable file reading. This is important to disable when
+ *   putting user data into Xml::build(). If enabled local & remote files will be read if they exist.
+ *   Defaults to true for backwards compatibility reasons.
  * - If using array as input, you can pass `options` from Xml::fromArray.
  *
  * @param string|array $input XML string, a path to a file, a URL or an array
@@ -91,6 +94,7 @@ class Xml {
 		$defaults = array(
 			'return' => 'simplexml',
 			'loadEntities' => false,
+			'readFile' => true
 		);
 		$options += $defaults;
 
@@ -98,9 +102,9 @@ class Xml {
 			return self::fromArray((array)$input, $options);
 		} elseif (strpos($input, '<') !== false) {
 			return self::_loadXml($input, $options);
-		} elseif (file_exists($input)) {
+		} elseif ($options['readFile'] && file_exists($input)) {
 			return self::_loadXml(file_get_contents($input), $options);
-		} elseif (strpos($input, 'http://') === 0 || strpos($input, 'https://') === 0) {
+		} elseif ($options['readFile'] && strpos($input, 'http://') === 0 || strpos($input, 'https://') === 0) {
 			try {
 				$socket = new HttpSocket(array('request' => array('redirect' => 10)));
 				$response = $socket->get($input);