MDL-26660 libraries: Improved XML validation before parsing

2025-04-15 21:45:37 +02:00 · 2012-11-16 11:34:20 +08:00 · 2012-11-16 11:34:20 +08:00 · f03671950f
commit f03671950f
parent c936a6af35
1 changed files with 28 additions and 8 deletions
--- a/lib/googleapi.php
+++ b/lib/googleapi.php
@ -81,11 +81,19 @@ class google_docs {
        if ($search) {
            $url.='?q='.urlencode($search);
        }
-        $content = $this->googleoauth->get($url);
-
-        $xml = new SimpleXMLElement($content);

        $files = array();
+        $content = $this->googleoauth->get($url);
+        try {
+            if (strpos($content, '<?xml') !== 0) {
+                throw new moodle_exception('invalidxmlresponse');
+            }
+            $xml = new SimpleXMLElement($content);
+        } catch (Exception $e) {
+            // An error occured while trying to parse the XML, let's just return nothing. SimpleXML does not
+            // return a more specific Exception, that's why the global Exception class is caught here.
+            return $files;
+        }
        foreach ($xml->entry as $gdoc) {
            $docid  = (string) $gdoc->children('http://schemas.google.com/g/2005')->resourceId;
            list($type, $docid) = explode(':', $docid);
@ -320,11 +328,17 @@ class google_picasa {
        $files = array();
        $content = $this->googleoauth->get(self::LIST_ALBUMS_URL);

-        if (empty($content)) {
+        try {
+            if (strpos($content, '<?xml') !== 0) {
+                throw new moodle_exception('invalidxmlresponse');
+            }
+            $xml = new SimpleXMLElement($content);
+        } catch (Exception $e) {
+            // An error occured while trying to parse the XML, let's just return nothing. SimpleXML does not
+            // return a more specific Exception, that's why the global Exception class is caught here.
            return $files;
        }

-        $xml = new SimpleXMLElement($content);
        foreach ($xml->entry as $album) {
            $gphoto = $album->children('http://schemas.google.com/photos/2007');

@ -355,11 +369,17 @@ class google_picasa {
     */
    public function get_photo_details($rawxml) {
        $files = array();
-        if (empty($rawxml)) {
+
+        try {
+            if (strpos($rawxml, '<?xml') !== 0) {
+                throw new moodle_exception('invalidxmlresponse');
+            }
+            $xml = new SimpleXMLElement($rawxml);
+        } catch (Exception $e) {
+            // An error occured while trying to parse the XML, let's just return nothing. SimpleXML does not
+            // return a more specific Exception, that's why the global Exception class is caught here.
            return $files;
        }
-
-        $xml = new SimpleXMLElement($rawxml);
        $this->lastalbumname = (string)$xml->title;

        foreach ($xml->entry as $photo) {