diff options
| author | Bernhard Posselt <dev@bernhard-posselt.com> | 2015-01-27 09:17:15 +0100 |
|---|---|---|
| committer | Bernhard Posselt <dev@bernhard-posselt.com> | 2015-01-27 09:17:15 +0100 |
| commit | fe3969f3759998d3f567a6769535640be69ea1e9 (patch) | |
| tree | 774efc15376860697c0648e49bf8066317b0d118 | |
| parent | 32ec52747b7f2e25df273471bc6be480aa2dcca9 (diff) | |
remove xxe checks for loadHML since it is apparenly no possible to exploit it
20 files changed, 14 insertions, 1108 deletions
diff --git a/appinfo/autoload.php b/appinfo/autoload.php index 43af4eb33..8b24fea83 100644 --- a/appinfo/autoload.php +++ b/appinfo/autoload.php @@ -17,14 +17,3 @@ // composer libs require_once __DIR__ . '/../vendor/autoload.php'; - -// non composer libs -$thirdPartyLibs = [ - '\ZendXML\Security' => 'ZendXml/vendor/autoload.php', -]; - -foreach ($thirdPartyLibs as $class => $path) { - if (!class_exists($class)) { - require_once __DIR__ . '/../vendor/' . $path; - } -} diff --git a/articleenhancer/globalarticleenhancer.php b/articleenhancer/globalarticleenhancer.php index 1939ca41c..004d92a9f 100644 --- a/articleenhancer/globalarticleenhancer.php +++ b/articleenhancer/globalarticleenhancer.php @@ -13,7 +13,8 @@ namespace OCA\News\ArticleEnhancer; -use \ZendXml\Security; +use DomDocument; +use DOMXpath; use \OCA\News\Db\Item; @@ -26,17 +27,15 @@ class GlobalArticleEnhancer implements ArticleEnhancer { */ public function enhance(Item $item) { - $dom = new \DOMDocument(); + $dom = new DOMDocument(); // wrap it inside a div if there is none to prevent invalid wrapping // inside <p> tags $body = '<div>' . $item->getBody() . '</div>'; - $isOk = Security::scanHtml( - $body, $dom, LIBXML_HTML_NOIMPLIED | LIBXML_HTML_NODEFDTD - ); + @$dom->loadHTML($body, LIBXML_HTML_NOIMPLIED | LIBXML_HTML_NODEFDTD); - $xpath = new \DOMXpath($dom); + $xpath = new DOMXpath($dom); // remove youtube autoplay // NOTE: PHP supports only XPath 1.0 so no matches() function :( diff --git a/articleenhancer/xpatharticleenhancer.php b/articleenhancer/xpatharticleenhancer.php index 42b2edf0c..67fbf78d2 100644 --- a/articleenhancer/xpatharticleenhancer.php +++ b/articleenhancer/xpatharticleenhancer.php @@ -13,15 +13,15 @@ namespace OCA\News\ArticleEnhancer; -use \DOMDocument; -use \DOMXpath; +use DOMDocument; +use DOMXpath; -use \ZendXml\Security; -use \PicoFeed\Encoding\Encoding; +use PicoFeed\Encoding\Encoding; -use \OCA\News\Utility\PicoFeedClientFactory; +use OCA\News\Utility\PicoFeedClientFactory; + +use OCA\News\Db\Item; -use \OCA\News\Db\Item; class XPathArticleEnhancer implements ArticleEnhancer { @@ -72,8 +72,7 @@ class XPathArticleEnhancer implements ArticleEnhancer { } $dom = new DOMDocument(); - - $isOk = Security::scanHtml($body, $dom); + @$dom->loadHTML($body); $xpath = new DOMXpath($dom); $xpathResult = $xpath->evaluate($search); @@ -127,9 +126,8 @@ class XPathArticleEnhancer implements ArticleEnhancer { } $xmlString = '<div>' . $xmlString . '</div>'; - $isOk = Security::scanHtml( - $xmlString, $dom, LIBXML_HTML_NOIMPLIED | LIBXML_HTML_NODEFDTD - ); + $isOk = @$dom->loadHTML($xmlString, LIBXML_HTML_NOIMPLIED | + LIBXML_HTML_NODEFDTD); if(!$isOk) { return false; diff --git a/vendor/ZendXml/.gitignore b/vendor/ZendXml/.gitignore deleted file mode 100644 index 0a4f6e27f..000000000 --- a/vendor/ZendXml/.gitignore +++ /dev/null @@ -1,5 +0,0 @@ -composer.lock -vendor -.buildpath -.project -.settings diff --git a/vendor/ZendXml/.travis.yml b/vendor/ZendXml/.travis.yml deleted file mode 100644 index ad8db966f..000000000 --- a/vendor/ZendXml/.travis.yml +++ /dev/null @@ -1,29 +0,0 @@ -language: php -php: - - 5.3 - - 5.4 - - 5.5 - - 5.6 - - hhvm - -matrix: - allow_failures: - - php: hhvm - -before_install: - # need to update libxml to 2.7.8 to be able to run tests using the - # LIBXML_HTML_NODEFDTD and LIBXML_HTML_NOIMPLIED libxml constant - - sudo apt-get update - - sudo apt-get -o DPkg::Options::="--force-confold" -y upgrade - -before_script: - - composer self-update - - composer install --dev - -script: - - ./vendor/bin/phpunit -c ./tests - - ./vendor/bin/phpcs --standard=PSR2 --ignore=tests/Bootstrap.php library tests - -notifications: - irc: "irc.freenode.org#zftalk.dev" - email: false diff --git a/vendor/ZendXml/README.md b/vendor/ZendXml/README.md deleted file mode 100644 index 2c67008da..000000000 --- a/vendor/ZendXml/README.md +++ /dev/null @@ -1,50 +0,0 @@ -ZendXml -======= - -An utility component for XML usage and best practices in PHP - -Installation ------------- - -You can install using: - -``` -curl -s https://getcomposer.org/installer | php -php composer.phar install -``` - -Notice that this library doesn't have any external dependencies, the usage of composer is for autoloading and standard purpose. - - -ZendXml\Security ----------------- - -This is a security component to prevent [XML eXternal Entity](https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing) (XXE) and [XML Entity Expansion](http://projects.webappsec.org/w/page/13247002/XML%20Entity%20Expansion) (XEE) attacks on XML documents. - -The XXE attack is prevented disabling the load of external entities in the libxml library used by PHP, using the function [libxml_disable_entity_loader](http://www.php.net/manual/en/function.libxml-disable-entity-loader.php). - -The XEE attack is prevented looking inside the XML document for ENTITY usage. If the XML document uses ENTITY the library throw an Exception. - -We have two static methods to scan and load XML document from a string (scan) and from a file (scanFile). You can decide to get a SimpleXMLElement or DOMDocument as result, using the following use cases: - -```php -use ZendXml\Security as XmlSecurity; - -$xml = <<<XML -<?xml version="1.0"?> -<results> - <result>test</result> -</results> -XML; - -// SimpleXML use case -$simplexml = XmlSecurity::scan($xml); -printf ("SimpleXMLElement: %s\n", ($simplexml instanceof \SimpleXMLElement) ? 'yes' : 'no'); - -// DOMDocument use case -$dom = new \DOMDocument('1.0'); -$dom = XmlSecurity::scan($xml, $dom); -printf ("DOMDocument: %s\n", ($dom instanceof \DOMDocument) ? 'yes' : 'no'); -``` - - diff --git a/vendor/ZendXml/composer.json b/vendor/ZendXml/composer.json deleted file mode 100644 index 139f1e23b..000000000 --- a/vendor/ZendXml/composer.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "name": "zendframework/zendxml", - "description": "Utility library for XML usage, best practices, and security in PHP", - "type": "library", - "license": "BSD-3-Clause", - "keywords": [ - "zf2", - "xml", - "security" - ], - "homepage": "http://packages.zendframework.com/", - "autoload": { - "psr-0": { - "ZendXml\\": "library/" - } - }, - "autoload-dev": { - "psr-4": { - "ZendTest\\Xml\\": "tests/ZendXmlTest/" - } - }, - "repositories": [ - { - "type": "composer", - "url": "http://packages.zendframework.com/" - } - ], - "require": { - "php": ">=5.3.3" - }, - "extra": { - "branch-alias": { - "dev-master": "1.0-dev" - } - }, - "require-dev": { - "phpunit/phpunit": "~3.7", - "squizlabs/php_codesniffer": "~1.5" - } -} diff --git a/vendor/ZendXml/library/ZendXml/Exception/ExceptionInterface.php b/vendor/ZendXml/library/ZendXml/Exception/ExceptionInterface.php deleted file mode 100644 index c55eb9034..000000000 --- a/vendor/ZendXml/library/ZendXml/Exception/ExceptionInterface.php +++ /dev/null @@ -1,14 +0,0 @@ -<?php -/** - * Zend Framework (http://framework.zend.com/) - * - * @link http://github.com/zendframework/zf2 for the canonical source repository - * @copyright Copyright (c) 2005-2014 Zend Technologies USA Inc. (http://www.zend.com) - * @license http://framework.zend.com/license/new-bsd New BSD License - */ - -namespace ZendXml\Exception; - -interface ExceptionInterface -{ -} diff --git a/vendor/ZendXml/library/ZendXml/Exception/InvalidArgumentException.php b/vendor/ZendXml/library/ZendXml/Exception/InvalidArgumentException.php deleted file mode 100644 index 0fef6b298..000000000 --- a/vendor/ZendXml/library/ZendXml/Exception/InvalidArgumentException.php +++ /dev/null @@ -1,17 +0,0 @@ -<?php -/** - * Zend Framework (http://framework.zend.com/) - * - * @link http://github.com/zendframework/zf2 for the canonical source repository - * @copyright Copyright (c) 2005-2014 Zend Technologies USA Inc. (http://www.zend.com) - * @license http://framework.zend.com/license/new-bsd New BSD License - */ - -namespace ZendXml\Exception; - -/** - * Invalid argument exception - */ -class InvalidArgumentException extends \InvalidArgumentException implements ExceptionInterface -{ -} diff --git a/vendor/ZendXml/library/ZendXml/Exception/RuntimeException.php b/vendor/ZendXml/library/ZendXml/Exception/RuntimeException.php deleted file mode 100644 index b730da4ff..000000000 --- a/vendor/ZendXml/library/ZendXml/Exception/RuntimeException.php +++ /dev/null @@ -1,17 +0,0 @@ -<?php -/** - * Zend Framework (http://framework.zend.com/) - * - * @link http://github.com/zendframework/zf2 for the canonical source repository - * @copyright Copyright (c) 2005-2014 Zend Technologies USA Inc. (http://www.zend.com) - * @license http://framework.zend.com/license/new-bsd New BSD License - */ - -namespace ZendXml\Exception; - -/** - * Runtime exception - */ -class RuntimeException extends \RuntimeException implements ExceptionInterface -{ -} diff --git a/vendor/ZendXml/library/ZendXml/Security.php b/vendor/ZendXml/library/ZendXml/Security.php deleted file mode 100644 index e97a54d77..000000000 --- a/vendor/ZendXml/library/ZendXml/Security.php +++ /dev/null @@ -1,168 +0,0 @@ -<?php -/** - * Zend Framework (http://framework.zend.com/) - * - * @link http://github.com/zendframework/zf2 for the canonical source repository - * @copyright Copyright (c) 2005-2014 Zend Technologies USA Inc. (http://www.zend.com) - * @license http://framework.zend.com/license/new-bsd New BSD License - */ -namespace ZendXml; - -use DOMDocument; -use SimpleXMLElement; - -class Security -{ - const ENTITY_DETECT = 'Detected use of ENTITY in XML, disabled to prevent XXE/XEE attacks'; - - /** - * Heuristic scan to detect entity in XML - * - * @param string $xml - * @throws Exception\RuntimeException - */ - protected static function heuristicScan($xml) - { - if (strpos($xml, '<!ENTITY') !== false) { - throw new Exception\RuntimeException(self::ENTITY_DETECT); - } - } - - /** - * Scan XML string for potential XXE and XEE attacks - * - * @param string $xml - * @param DomDocument $dom - * @param int $libXmlConstants additional libxml constants to pass in - * @param Callable $callback the callback to use to create the dom element - * @throws Exception\RuntimeException - * @return SimpleXMLElement|DomDocument|boolean - */ - private static function scanString($xml, $dom, $libXmlConstants, $callback) - { - // If running with PHP-FPM we perform an heuristic scan - // We cannot use libxml_disable_entity_loader because of this bug - // @see https://bugs.php.net/bug.php?id=64938 - if (self::isPhpFpm()) { - self::heuristicScan($xml); - } - - if (null === $dom) { - $simpleXml = true; - $dom = new DOMDocument(); - } - - if (!self::isPhpFpm()) { - $loadEntities = libxml_disable_entity_loader(true); - $useInternalXmlErrors = libxml_use_internal_errors(true); - } - - // Load XML with network access disabled (LIBXML_NONET) - // error disabled with @ for PHP-FPM scenario - set_error_handler(function ($errno, $errstr) { - if (substr_count($errstr, 'DOMDocument::loadXML()') > 0) { - return true; - } - return false; - }, E_WARNING); - - $result = $callback($xml, $dom, LIBXML_NONET | $libXmlConstants); - - restore_error_handler(); - - // Entity load to previous setting - if (!self::isPhpFpm()) { - libxml_disable_entity_loader($loadEntities); - libxml_use_internal_errors($useInternalXmlErrors); - } - - if (!$result) { - return false; - } - - // Scan for potential XEE attacks using ENTITY, if not PHP-FPM - if (!self::isPhpFpm()) { - foreach ($dom->childNodes as $child) { - if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) { - if ($child->entities->length > 0) { - throw new Exception\RuntimeException(self::ENTITY_DETECT); - } - } - } - } - - if (isset($simpleXml)) { - $result = simplexml_import_dom($dom); - if (!$result instanceof SimpleXMLElement) { - return false; - } - return $result; - } - return $dom; - } - - /** - * Scan HTML string for potential XXE and XEE attacks - * - * @param string $xml - * @param DomDocument $dom - * @param int $libXmlConstants additional libxml constants to pass in - * @throws Exception\RuntimeException - * @return SimpleXMLElement|DomDocument|boolean - */ - public static function scanHtml($html, DOMDocument $dom = null, $libXmlConstants = 0) - { - $callback = function ($html, $dom, $constants) { - return $dom->loadHtml($html, $constants); - }; - return self::scanString($html, $dom, $libXmlConstants, $callback); - } - - /** - * Scan XML string for potential XXE and XEE attacks - * - * @param string $xml - * @param DomDocument $dom - * @param int $libXmlConstants additional libxml constants to pass in - * @throws Exception\RuntimeException - * @return SimpleXMLElement|DomDocument|boolean - */ - public static function scan($xml, DOMDocument $dom = null, $libXmlConstants = 0) - { - $callback = function ($xml, $dom, $constants) { - return $dom->loadXml($xml, $constants); - }; - return self::scanString($xml, $dom, $libXmlConstants, $callback); - } - - /** - * Scan XML file for potential XXE/XEE attacks - * - * @param string $file - * @param DOMDocument $dom - * @throws Exception\InvalidArgumentException - * @return SimpleXMLElement|DomDocument - */ - public static function scanFile($file, DOMDocument $dom = null) - { - if (!file_exists($file)) { - throw new Exception\InvalidArgumentException( - "The file $file specified doesn't exist" - ); - } - return self::scan(file_get_contents($file), $dom); - } - - /** - * Return true if PHP is running with PHP-FPM - * - * @return boolean - */ - public static function isPhpFpm() - { - if (substr(php_sapi_name(), 0, 3) === 'fpm') { - return true; - } - return false; - } -} diff --git a/vendor/ZendXml/tests/Bootstrap.php b/vendor/ZendXml/tests/Bootstrap.php deleted file mode 100644 index a9d0e6a55..000000000 --- a/vendor/ZendXml/tests/Bootstrap.php +++ /dev/null @@ -1,92 +0,0 @@ -<?php -/** - * Zend Framework (http://framework.zend.com/) - * - * @link http://github.com/zendframework/zf2 for the canonical source repository - * @copyright Copyright (c) 2005-2014 Zend Technologies USA Inc. (http://www.zend.com) - * @license http://framework.zend.com/license/new-bsd New BSD License - * @package Zend - */ - -/** - * Set error reporting to the level to which Zend Framework code must comply. - */ -error_reporting( E_ALL | E_STRICT ); - -if (class_exists('PHPUnit_Runner_Version', true)) { - $phpUnitVersion = PHPUnit_Runner_Version::id(); - if ('@package_version@' !== $phpUnitVersion && version_compare($phpUnitVersion, '3.7.0', '<')) { - echo 'This version of PHPUnit (' . - PHPUnit_Runner_Version::id() . - ') is not supported for ZendXml unit tests - use v 3.7.0 or higher.' - . PHP_EOL - ; - exit(1); - } - unset($phpUnitVersion); -} - -/** - * Setup autoloading - */ -// Try to use Composer autoloader -if (file_exists(__DIR__ . '/../vendor/autoload.php')) { - include_once __DIR__ . '/../vendor/autoload.php'; -} -// ... or use a simple SPL autoloader -else{ - - // update include path - set_include_path(implode(PATH_SEPARATOR, array( - __DIR__.'/../src', - __DIR__, - get_include_path() - ))); - - /** - * @link https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-0.md#example-implementation - */ - spl_autoload_register(function ($className) { - $className = ltrim($className, '\\'); - $fileName = ''; - $namespace = ''; - if ($lastNsPos = strrpos($className, '\\')) { - $namespace = substr($className, 0, $lastNsPos); - $className = substr($className, $lastNsPos + 1); - $fileName = str_replace('\\', DIRECTORY_SEPARATOR, $namespace) . DIRECTORY_SEPARATOR; - } - $fileName .= str_replace('_', DIRECTORY_SEPARATOR, $className) . '.php'; - require $fileName; - }); - -} - -/** - * Code coverage option - */ -if (defined('TESTS_GENERATE_REPORT') && TESTS_GENERATE_REPORT === true) { - $codeCoverageFilter = new PHP_CodeCoverage_Filter(); - - $lastArg = end($_SERVER['argv']); - if (is_dir($zfCoreTests . '/' . $lastArg)) { - $codeCoverageFilter->addDirectoryToWhitelist($zfCoreLibrary . '/' . $lastArg); - } elseif (is_file($zfCoreTests . '/' . $lastArg)) { - $codeCoverageFilter->addDirectoryToWhitelist(dirname($zfCoreLibrary . '/' . $lastArg)); - } else { - $codeCoverageFilter->addDirectoryToWhitelist($zfCoreLibrary); - } - - /* - * Omit from code coverage reports the contents of the tests directory - */ - $codeCoverageFilter->addDirectoryToBlacklist($zfCoreTests, ''); - $codeCoverageFilter->addDirectoryToBlacklist(PEAR_INSTALL_DIR, ''); - $codeCoverageFilter->addDirectoryToBlacklist(PHP_LIBDIR, ''); - - unset($codeCoverageFilter); -} - -/* - * Unset global variables that are no longer needed. - */ -unset($phpUnitVersion); diff --git a/vendor/ZendXml/tests/ZendXmlTest/SecurityTest.php b/vendor/ZendXml/tests/ZendXmlTest/SecurityTest.php deleted file mode 100644 index 0f0fbffba..000000000 --- a/vendor/ZendXml/tests/ZendXmlTest/SecurityTest.php +++ /dev/null @@ -1,152 +0,0 @@ -<?php -/** - * Zend Framework (http://framework.zend.com/) - * - * @link http://github.com/zendframework/zf2 for the canonical source repository - * @copyright Copyright (c) 2005-2013 Zend Technologies USA Inc. (http://www.zend.com) - * @license http://framework.zend.com/license/new-bsd New BSD License - */ -namespace ZendTest\Xml; - -use ZendXml\Security as XmlSecurity; -use ZendXml\Exception; -use DOMDocument; -use SimpleXMLElement; - -class SecurityTest extends \PHPUnit_Framework_TestCase -{ - /** - * @expectedException ZendXml\Exception\RuntimeException - */ - public function testScanForXEE() - { - $xml = <<<XML -<?xml version="1.0"?> -<!DOCTYPE results [<!ENTITY harmless "completely harmless">]> -<results> - <result>This result is &harmless;</result> -</results> -XML; - - $this->setExpectedException('ZendXml\Exception\RuntimeException'); - $result = XmlSecurity::scan($xml); - } - - public function testScanForXXE() - { - $file = tempnam(sys_get_temp_dir(), 'ZendXml_Security'); - file_put_contents($file, 'This is a remote content!'); - $xml = <<<XML -<?xml version="1.0"?> -<!DOCTYPE root -[ -<!ENTITY foo SYSTEM "file://$file"> -]> |