summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBernhard Posselt <dev@bernhard-posselt.com>2014-11-23 17:14:29 +0100
committerBernhard Posselt <dev@bernhard-posselt.com>2014-11-23 17:14:29 +0100
commitcf0f54ef8474ee0ab84e8953459734f5cec601a9 (patch)
tree3f789e3561a171e86fcd3a9288d2bb61e7f3eb9d
parent8130e77fbafa3fbb07f6cf527b4735bf410cb5fe (diff)
udpate picofeed to fix xxe
-rw-r--r--CHANGELOG.md1
-rw-r--r--composer.lock8
-rw-r--r--vendor/autoload.php2
-rw-r--r--vendor/composer/autoload_real.php10
-rw-r--r--vendor/composer/installed.json10
-rw-r--r--vendor/fguillot/picofeed/lib/PicoFeed/Parser/XmlParser.php65
-rw-r--r--vendor/fguillot/picofeed/lib/PicoFeed/Rules/www.numerama.com.php5
7 files changed, 64 insertions, 37 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 596d41bab..cb58c7ec5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,4 +1,5 @@
owncloud-news (4.2.0)
+* **Security**: Fix [XEE](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing) vulnerability in picoFeed RSS library
* **Enhancement**: Add admin setting to set a custom explore service URL
* **Enhancement**: Add explore button and show explore button on startup
* **Enhancement**: Show a hint when no articles are available
diff --git a/composer.lock b/composer.lock
index 2a06a0a1a..f7d2160ee 100644
--- a/composer.lock
+++ b/composer.lock
@@ -57,12 +57,12 @@
"source": {
"type": "git",
"url": "https://github.com/fguillot/picoFeed.git",
- "reference": "e3e5bb1b09eaf8799761128bcf4f31e06f5bd432"
+ "reference": "c03c972a60a708d995dac7b0fe2107161dc9a338"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/fguillot/picoFeed/zipball/e3e5bb1b09eaf8799761128bcf4f31e06f5bd432",
- "reference": "e3e5bb1b09eaf8799761128bcf4f31e06f5bd432",
+ "url": "https://api.github.com/repos/fguillot/picoFeed/zipball/c03c972a60a708d995dac7b0fe2107161dc9a338",
+ "reference": "c03c972a60a708d995dac7b0fe2107161dc9a338",
"shasum": ""
},
"require": {
@@ -86,7 +86,7 @@
],
"description": "Modern library to write or read feeds (RSS/Atom)",
"homepage": "http://fguillot.github.io/picoFeed",
- "time": "2014-11-21 00:59:35"
+ "time": "2014-11-23 15:47:57"
},
{
"name": "pear/net_url2",
diff --git a/vendor/autoload.php b/vendor/autoload.php
index 92a69093b..5e62a4d6f 100644
--- a/vendor/autoload.php
+++ b/vendor/autoload.php
@@ -4,4 +4,4 @@
require_once __DIR__ . '/composer' . '/autoload_real.php';
-return ComposerAutoloaderInita9c752e6b95fa896aa77ade3ff1d23dd::getLoader();
+return ComposerAutoloaderInit41392fc5dd4291cdd3bcf85c58151ffb::getLoader();
diff --git a/vendor/composer/autoload_real.php b/vendor/composer/autoload_real.php
index 63a364702..98280551c 100644
--- a/vendor/composer/autoload_real.php
+++ b/vendor/composer/autoload_real.php
@@ -2,7 +2,7 @@
// autoload_real.php @generated by Composer
-class ComposerAutoloaderInita9c752e6b95fa896aa77ade3ff1d23dd
+class ComposerAutoloaderInit41392fc5dd4291cdd3bcf85c58151ffb
{
private static $loader;
@@ -19,9 +19,9 @@ class ComposerAutoloaderInita9c752e6b95fa896aa77ade3ff1d23dd
return self::$loader;
}
- spl_autoload_register(array('ComposerAutoloaderInita9c752e6b95fa896aa77ade3ff1d23dd', 'loadClassLoader'), true, true);
+ spl_autoload_register(array('ComposerAutoloaderInit41392fc5dd4291cdd3bcf85c58151ffb', 'loadClassLoader'), true, true);
self::$loader = $loader = new \Composer\Autoload\ClassLoader();
- spl_autoload_unregister(array('ComposerAutoloaderInita9c752e6b95fa896aa77ade3ff1d23dd', 'loadClassLoader'));
+ spl_autoload_unregister(array('ComposerAutoloaderInit41392fc5dd4291cdd3bcf85c58151ffb', 'loadClassLoader'));
$includePaths = require __DIR__ . '/include_paths.php';
array_push($includePaths, get_include_path());
@@ -46,14 +46,14 @@ class ComposerAutoloaderInita9c752e6b95fa896aa77ade3ff1d23dd
$includeFiles = require __DIR__ . '/autoload_files.php';
foreach ($includeFiles as $file) {
- composerRequirea9c752e6b95fa896aa77ade3ff1d23dd($file);
+ composerRequire41392fc5dd4291cdd3bcf85c58151ffb($file);
}
return $loader;
}
}
-function composerRequirea9c752e6b95fa896aa77ade3ff1d23dd($file)
+function composerRequire41392fc5dd4291cdd3bcf85c58151ffb($file)
{
require $file;
}
diff --git a/vendor/composer/installed.json b/vendor/composer/installed.json
index 5fc9e6df0..94c5d704b 100644
--- a/vendor/composer/installed.json
+++ b/vendor/composer/installed.json
@@ -119,20 +119,20 @@
"source": {
"type": "git",
"url": "https://github.com/fguillot/picoFeed.git",
- "reference": "e3e5bb1b09eaf8799761128bcf4f31e06f5bd432"
+ "reference": "c03c972a60a708d995dac7b0fe2107161dc9a338"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/fguillot/picoFeed/zipball/e3e5bb1b09eaf8799761128bcf4f31e06f5bd432",
- "reference": "e3e5bb1b09eaf8799761128bcf4f31e06f5bd432",
+ "url": "https://api.github.com/repos/fguillot/picoFeed/zipball/c03c972a60a708d995dac7b0fe2107161dc9a338",
+ "reference": "c03c972a60a708d995dac7b0fe2107161dc9a338",
"shasum": ""
},
"require": {
"php": ">=5.3.0"
},
- "time": "2014-11-21 00:59:35",
+ "time": "2014-11-23 15:47:57",
"type": "library",
- "installation-source": "source",
+ "installation-source": "dist",
"autoload": {
"psr-0": {
"PicoFeed": "lib/"
diff --git a/vendor/fguillot/picofeed/lib/PicoFeed/Parser/XmlParser.php b/vendor/fguillot/picofeed/lib/PicoFeed/Parser/XmlParser.php
index 580b66574..2b007e199 100644
--- a/vendor/fguillot/picofeed/lib/PicoFeed/Parser/XmlParser.php
+++ b/vendor/fguillot/picofeed/lib/PicoFeed/Parser/XmlParser.php
@@ -2,6 +2,7 @@
namespace PicoFeed\Parser;
+use Closure;
use DomDocument;
use DOMXPath;
use SimpleXmlElement;
@@ -43,14 +44,16 @@ class XmlParser
}
/**
- * Get a DomDocument instance or return false
+ * Scan the input for XXE attacks
*
- * @static
- * @access public
- * @param string $input XML content
- * @return mixed
+ * @param string $input Unsafe input
+ * @param Closure $callback Callback called to build the dom.
+ * Must be an instance of DomDocument and receives the input as argument
+ *
+ * @return bool|DomDocument False if an XXE attack was discovered,
+ * otherwise the return of the callback
*/
- public static function getDomDocument($input)
+ private static function scanInput($input, Closure $callback)
{
if (substr(php_sapi_name(), 0, 3) === 'fpm') {
@@ -67,13 +70,7 @@ class XmlParser
libxml_use_internal_errors(true);
- $dom = new DomDocument;
- $dom->loadXml($input, LIBXML_NONET);
-
- // The document is empty, there is probably some parsing errors
- if ($dom->childNodes->length === 0) {
- return false;
- }
+ $dom = $callback($input);
// Scan for potential XEE attacks using ENTITY
foreach ($dom->childNodes as $child) {
@@ -88,27 +85,55 @@ class XmlParser
}
/**
- * Load HTML document by using a DomDocument instance or return false on failure
+ * Get a DomDocument instance or return false
*
* @static
* @access public
* @param string $input XML content
* @return mixed
*/
- public static function getHtmlDocument($input)
+ public static function getDomDocument($input)
{
- libxml_use_internal_errors(true);
+ $dom = self::scanInput($input, function ($in) {
+ $dom = new DomDocument;
+ $dom->loadXml($in, LIBXML_NONET);
+ return $dom;
+ });
- $dom = new DomDocument;
+ // The document is empty, there is probably some parsing errors
+ if ($dom && $dom->childNodes->length === 0) {
+ return false;
+ }
+
+ return $dom;
+ }
+ /**
+ * Load HTML document by using a DomDocument instance or return false on failure
+ *
+ * @static
+ * @access public
+ * @param string $input XML content
+ * @return mixed
+ */
+ public static function getHtmlDocument($input)
+ {
if (version_compare(PHP_VERSION, '5.4.0', '>=')) {
- $dom->loadHTML($input, LIBXML_NONET);
+ $callback = function ($in) {
+ $dom = new DomDocument;
+ $dom->loadHTML($in, LIBXML_NONET);
+ return $dom;
+ };
}
else {
- $dom->loadHTML($input);
+ $callback = function ($in) {
+ $dom = new DomDocument;
+ $dom->loadHTML($in);
+ return $dom;
+ };
}
- return $dom;
+ return self::scanInput($input, $callback);
}
/**
diff --git a/vendor/fguillot/picofeed/lib/PicoFeed/Rules/www.numerama.com.php b/vendor/fguillot/picofeed/lib/PicoFeed/Rules/www.numerama.com.php
index 5149c69ab..b6387da73 100644
--- a/vendor/fguillot/picofeed/lib/PicoFeed/Rules/www.numerama.com.php
+++ b/vendor/fguillot/picofeed/lib/PicoFeed/Rules/www.numerama.com.php
@@ -2,9 +2,10 @@
return array(
'test_url' => 'http://www.numerama.com/magazine/26857-bientot-des-robots-dans-les-cuisines-de-mcdo.html',
'body' => array(
- '//*[@id="general_content"]/table/tbody/tr/td[1]/div/div/div[6]/h2',
- '//div[@id="newstext"]',
+ '//div[@class="col_left"]//div[@class="content"]',
),
'strip' => array(
+ '//div[@class="news_social"]',
+ '//div[@id="newssuiv"]',
)
); \ No newline at end of file