From 2d121036ccb811ff3314e2eb12e469e895bfb95d Mon Sep 17 00:00:00 2001 From: Frederic Massart Date: Tue, 10 Jun 2014 12:53:43 +0800 Subject: [PATCH] MDL-45463 mod_lti: Prevent XML entity injections from provider --- mod/lti/service.php | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/mod/lti/service.php b/mod/lti/service.php index beae870997e..362f1e9751a 100644 --- a/mod/lti/service.php +++ b/mod/lti/service.php @@ -54,7 +54,14 @@ if ($sharedsecret === false) { throw new Exception('Message signature not valid'); } -$xml = new SimpleXMLElement($rawbody); +// TODO MDL-46023 Replace this code with a call to the new library. +$origentity = libxml_disable_entity_loader(true); +$xml = simplexml_load_string($rawbody); +if (!$xml) { + libxml_disable_entity_loader($origentity); + throw new Exception('Invalid XML content'); +} +libxml_disable_entity_loader($origentity); $body = $xml->imsx_POXBody; foreach ($body->children() as $child) { -- 2.11.4.GIT