Disable reading XML files and URLs when handling user data.

Allowing users to load arbitrary files/URLs with Xml is not desirable when handing user input.
2025-01-31 09:06:17 +00:00 · 2015-05-27 09:45:53 -04:00 · 2015-05-27 09:45:53 -04:00 · 995d8d22c6
commit 995d8d22c6
parent dddc504f87
3 changed files with 29 additions and 3 deletions
--- a/lib/Cake/Controller/Component/RequestHandlerComponent.php
+++ b/lib/Cake/Controller/Component/RequestHandlerComponent.php
@ -229,7 +229,7 @@ class RequestHandlerComponent extends Component {
 */
 	public function convertXml($xml) {
 		try {
-			$xml = Xml::build($xml);
+			$xml = Xml::build($xml, ['readFile' => false]);
 			if (isset($xml->data)) {
 				return Xml::toArray($xml->data);
 			}
--- a/lib/Cake/Test/Case/Utility/XmlTest.php
+++ b/lib/Cake/Test/Case/Utility/XmlTest.php
@ -167,6 +167,28 @@ class XmlTest extends CakeTestCase {
 		$this->assertNotRegExp('/encoding/', $obj->saveXML());
 	}

+/**
+ * Test that the readFile option disables local file parsing.
+ *
+ * @expectedException XmlException
+ * @return void
+ */
+	public function testBuildFromFileWhenDisabled() {
+		$xml = CAKE . 'Test' . DS . 'Fixture' . DS . 'sample.xml';
+		$obj = Xml::build($xml, ['readFile' => false]);
+	}
+
+/**
+ * Test that the readFile option disables local file parsing.
+ *
+ * @expectedException XmlException
+ * @return void
+ */
+	public function testBuildFromUrlWhenDisabled() {
+		$xml = 'http://www.google.com';
+		$obj = Xml::build($xml, ['readFile' => false]);
+	}
+
 /**
 * data provider function for testBuildInvalidData
 *
--- a/lib/Cake/Utility/Xml.php
+++ b/lib/Cake/Utility/Xml.php
@ -77,6 +77,9 @@ class Xml {
 * - `return` Can be 'simplexml' to return object of SimpleXMLElement or 'domdocument' to return DOMDocument.
 * - `loadEntities` Defaults to false. Set to true to enable loading of `<!ENTITY` definitions. This
 *   is disabled by default for security reasons.
+ * - `readFile` Set to false to disable file reading. This is important to disable when
+ *   putting user data into Xml::build(). If enabled local & remote files will be read if they exist.
+ *   Defaults to true for backwards compatibility reasons.
 * - If using array as input, you can pass `options` from Xml::fromArray.
 *
 * @param string|array $input XML string, a path to a file, a URL or an array
@ -91,6 +94,7 @@ class Xml {
 		$defaults = array(
 			'return' => 'simplexml',
 			'loadEntities' => false,
+			'readFile' => true
 		);
 		$options += $defaults;

@ -98,9 +102,9 @@ class Xml {
 			return self::fromArray((array)$input, $options);
 		} elseif (strpos($input, '<') !== false) {
 			return self::_loadXml($input, $options);
-		} elseif (file_exists($input)) {
+		} elseif ($options['readFile'] && file_exists($input)) {
 			return self::_loadXml(file_get_contents($input), $options);
-		} elseif (strpos($input, 'http://') === 0 || strpos($input, 'https://') === 0) {
+		} elseif ($options['readFile'] && strpos($input, 'http://') === 0 || strpos($input, 'https://') === 0) {
 			try {
 				$socket = new HttpSocket(array('request' => array('redirect' => 10)));
 				$response = $socket->get($input);