From cf0f54ef8474ee0ab84e8953459734f5cec601a9 Mon Sep 17 00:00:00 2001 From: Bernhard Posselt Date: Sun, 23 Nov 2014 17:14:29 +0100 Subject: udpate picofeed to fix xxe --- CHANGELOG.md | 1 + composer.lock | 8 +-- vendor/autoload.php | 2 +- vendor/composer/autoload_real.php | 10 ++-- vendor/composer/installed.json | 10 ++-- .../picofeed/lib/PicoFeed/Parser/XmlParser.php | 65 +++++++++++++++------- .../lib/PicoFeed/Rules/www.numerama.com.php | 5 +- 7 files changed, 64 insertions(+), 37 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 596d41bab..cb58c7ec5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ owncloud-news (4.2.0) +* **Security**: Fix [XEE](https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing) vulnerability in picoFeed RSS library * **Enhancement**: Add admin setting to set a custom explore service URL * **Enhancement**: Add explore button and show explore button on startup * **Enhancement**: Show a hint when no articles are available diff --git a/composer.lock b/composer.lock index 2a06a0a1a..f7d2160ee 100644 --- a/composer.lock +++ b/composer.lock @@ -57,12 +57,12 @@ "source": { "type": "git", "url": "https://github.com/fguillot/picoFeed.git", - "reference": "e3e5bb1b09eaf8799761128bcf4f31e06f5bd432" + "reference": "c03c972a60a708d995dac7b0fe2107161dc9a338" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/fguillot/picoFeed/zipball/e3e5bb1b09eaf8799761128bcf4f31e06f5bd432", - "reference": "e3e5bb1b09eaf8799761128bcf4f31e06f5bd432", + "url": "https://api.github.com/repos/fguillot/picoFeed/zipball/c03c972a60a708d995dac7b0fe2107161dc9a338", + "reference": "c03c972a60a708d995dac7b0fe2107161dc9a338", "shasum": "" }, "require": { @@ -86,7 +86,7 @@ ], "description": "Modern library to write or read feeds (RSS/Atom)", "homepage": "http://fguillot.github.io/picoFeed", - "time": "2014-11-21 00:59:35" + "time": "2014-11-23 15:47:57" }, { "name": "pear/net_url2", diff --git a/vendor/autoload.php b/vendor/autoload.php index 92a69093b..5e62a4d6f 100644 --- a/vendor/autoload.php +++ b/vendor/autoload.php @@ -4,4 +4,4 @@ require_once __DIR__ . '/composer' . '/autoload_real.php'; -return ComposerAutoloaderInita9c752e6b95fa896aa77ade3ff1d23dd::getLoader(); +return ComposerAutoloaderInit41392fc5dd4291cdd3bcf85c58151ffb::getLoader(); diff --git a/vendor/composer/autoload_real.php b/vendor/composer/autoload_real.php index 63a364702..98280551c 100644 --- a/vendor/composer/autoload_real.php +++ b/vendor/composer/autoload_real.php @@ -2,7 +2,7 @@ // autoload_real.php @generated by Composer -class ComposerAutoloaderInita9c752e6b95fa896aa77ade3ff1d23dd +class ComposerAutoloaderInit41392fc5dd4291cdd3bcf85c58151ffb { private static $loader; @@ -19,9 +19,9 @@ class ComposerAutoloaderInita9c752e6b95fa896aa77ade3ff1d23dd return self::$loader; } - spl_autoload_register(array('ComposerAutoloaderInita9c752e6b95fa896aa77ade3ff1d23dd', 'loadClassLoader'), true, true); + spl_autoload_register(array('ComposerAutoloaderInit41392fc5dd4291cdd3bcf85c58151ffb', 'loadClassLoader'), true, true); self::$loader = $loader = new \Composer\Autoload\ClassLoader(); - spl_autoload_unregister(array('ComposerAutoloaderInita9c752e6b95fa896aa77ade3ff1d23dd', 'loadClassLoader')); + spl_autoload_unregister(array('ComposerAutoloaderInit41392fc5dd4291cdd3bcf85c58151ffb', 'loadClassLoader')); $includePaths = require __DIR__ . '/include_paths.php'; array_push($includePaths, get_include_path()); @@ -46,14 +46,14 @@ class ComposerAutoloaderInita9c752e6b95fa896aa77ade3ff1d23dd $includeFiles = require __DIR__ . '/autoload_files.php'; foreach ($includeFiles as $file) { - composerRequirea9c752e6b95fa896aa77ade3ff1d23dd($file); + composerRequire41392fc5dd4291cdd3bcf85c58151ffb($file); } return $loader; } } -function composerRequirea9c752e6b95fa896aa77ade3ff1d23dd($file) +function composerRequire41392fc5dd4291cdd3bcf85c58151ffb($file) { require $file; } diff --git a/vendor/composer/installed.json b/vendor/composer/installed.json index 5fc9e6df0..94c5d704b 100644 --- a/vendor/composer/installed.json +++ b/vendor/composer/installed.json @@ -119,20 +119,20 @@ "source": { "type": "git", "url": "https://github.com/fguillot/picoFeed.git", - "reference": "e3e5bb1b09eaf8799761128bcf4f31e06f5bd432" + "reference": "c03c972a60a708d995dac7b0fe2107161dc9a338" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/fguillot/picoFeed/zipball/e3e5bb1b09eaf8799761128bcf4f31e06f5bd432", - "reference": "e3e5bb1b09eaf8799761128bcf4f31e06f5bd432", + "url": "https://api.github.com/repos/fguillot/picoFeed/zipball/c03c972a60a708d995dac7b0fe2107161dc9a338", + "reference": "c03c972a60a708d995dac7b0fe2107161dc9a338", "shasum": "" }, "require": { "php": ">=5.3.0" }, - "time": "2014-11-21 00:59:35", + "time": "2014-11-23 15:47:57", "type": "library", - "installation-source": "source", + "installation-source": "dist", "autoload": { "psr-0": { "PicoFeed": "lib/" diff --git a/vendor/fguillot/picofeed/lib/PicoFeed/Parser/XmlParser.php b/vendor/fguillot/picofeed/lib/PicoFeed/Parser/XmlParser.php index 580b66574..2b007e199 100644 --- a/vendor/fguillot/picofeed/lib/PicoFeed/Parser/XmlParser.php +++ b/vendor/fguillot/picofeed/lib/PicoFeed/Parser/XmlParser.php @@ -2,6 +2,7 @@ namespace PicoFeed\Parser; +use Closure; use DomDocument; use DOMXPath; use SimpleXmlElement; @@ -43,14 +44,16 @@ class XmlParser } /** - * Get a DomDocument instance or return false + * Scan the input for XXE attacks * - * @static - * @access public - * @param string $input XML content - * @return mixed + * @param string $input Unsafe input + * @param Closure $callback Callback called to build the dom. + * Must be an instance of DomDocument and receives the input as argument + * + * @return bool|DomDocument False if an XXE attack was discovered, + * otherwise the return of the callback */ - public static function getDomDocument($input) + private static function scanInput($input, Closure $callback) { if (substr(php_sapi_name(), 0, 3) === 'fpm') { @@ -67,13 +70,7 @@ class XmlParser libxml_use_internal_errors(true); - $dom = new DomDocument; - $dom->loadXml($input, LIBXML_NONET); - - // The document is empty, there is probably some parsing errors - if ($dom->childNodes->length === 0) { - return false; - } + $dom = $callback($input); // Scan for potential XEE attacks using ENTITY foreach ($dom->childNodes as $child) { @@ -88,27 +85,55 @@ class XmlParser } /** - * Load HTML document by using a DomDocument instance or return false on failure + * Get a DomDocument instance or return false * * @static * @access public * @param string $input XML content * @return mixed */ - public static function getHtmlDocument($input) + public static function getDomDocument($input) { - libxml_use_internal_errors(true); + $dom = self::scanInput($input, function ($in) { + $dom = new DomDocument; + $dom->loadXml($in, LIBXML_NONET); + return $dom; + }); - $dom = new DomDocument; + // The document is empty, there is probably some parsing errors + if ($dom && $dom->childNodes->length === 0) { + return false; + } + + return $dom; + } + /** + * Load HTML document by using a DomDocument instance or return false on failure + * + * @static + * @access public + * @param string $input XML content + * @return mixed + */ + public static function getHtmlDocument($input) + { if (version_compare(PHP_VERSION, '5.4.0', '>=')) { - $dom->loadHTML($input, LIBXML_NONET); + $callback = function ($in) { + $dom = new DomDocument; + $dom->loadHTML($in, LIBXML_NONET); + return $dom; + }; } else { - $dom->loadHTML($input); + $callback = function ($in) { + $dom = new DomDocument; + $dom->loadHTML($in); + return $dom; + }; } - return $dom; + return self::scanInput($input, $callback); } /** diff --git a/vendor/fguillot/picofeed/lib/PicoFeed/Rules/www.numerama.com.php b/vendor/fguillot/picofeed/lib/PicoFeed/Rules/www.numerama.com.php index 5149c69ab..b6387da73 100644 --- a/vendor/fguillot/picofeed/lib/PicoFeed/Rules/www.numerama.com.php +++ b/vendor/fguillot/picofeed/lib/PicoFeed/Rules/www.numerama.com.php @@ -2,9 +2,10 @@ return array( 'test_url' => 'http://www.numerama.com/magazine/26857-bientot-des-robots-dans-les-cuisines-de-mcdo.html', 'body' => array( - '//*[@id="general_content"]/table/tbody/tr/td[1]/div/div/div[6]/h2', - '//div[@id="newstext"]', + '//div[@class="col_left"]//div[@class="content"]', ), 'strip' => array( + '//div[@class="news_social"]', + '//div[@id="newssuiv"]', ) ); \ No newline at end of file -- cgit v1.2.3