mirror_php/moodle
1
0
Fork 0
mirror of https://github.com/moodle/moodle.git synced 2025-04-13 12:32:08 +02:00
Code Issues Projects Releases Wiki Activity

MDL-45463 mod_lti: Prevent XML entity injections from provider

Browse Source
This commit is contained in:
Frederic Massart 2014-06-10 12:53:43 +08:00 committed by Dan Poltawski
parent e29bb97c07
commit 78ed99ec7e
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
mod/lti/service.php
View File

@ -58,7 +58,14 @@ if ($sharedsecret === false) {
throw new Exception('Message signature not valid');
}
$xml = new SimpleXMLElement($rawbody);
// TODO MDL-46023 Replace this code with a call to the new library.
$origentity = libxml_disable_entity_loader(true);
$xml = simplexml_load_string($rawbody);
if (!$xml) {
libxml_disable_entity_loader($origentity);
throw new Exception('Invalid XML content');
}
libxml_disable_entity_loader($origentity);
$body = $xml->imsx_POXBody;
foreach ($body->children() as $child) {