From 5894507b9522c190d1bca3556bd1f2673d9de510 Mon Sep 17 00:00:00 2001
From: Andrew Nacin <nacin@git.wordpress.org>
Date: Tue, 5 Aug 2014 19:13:57 +0000
Subject: [PATCH] Disable external entities in ID3.

git-svn-id: https://develop.svn.wordpress.org/trunk@29378 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/ID3/getid3.lib.php | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/wp-includes/ID3/getid3.lib.php b/src/wp-includes/ID3/getid3.lib.php
index f8df233486..a7282c77c0 100644
--- a/src/wp-includes/ID3/getid3.lib.php
+++ b/src/wp-includes/ID3/getid3.lib.php
@@ -519,11 +519,12 @@ class getid3_lib
 	}
 
 	public static function XML2array($XMLstring) {
-		if (function_exists('simplexml_load_string')) {
-			if (function_exists('get_object_vars')) {
-				$XMLobject = simplexml_load_string($XMLstring);
-				return self::SimpleXMLelement2array($XMLobject);
-			}
+		if ( function_exists( 'simplexml_load_string' ) && function_exists( 'libxml_disable_entity_loader' ) ) {
+			$loader = libxml_disable_entity_loader( true );
+			$XMLobject = simplexml_load_string( $XMLstring, 'SimpleXMLElement', LIBXML_NOENT );
+			$return = self::SimpleXMLelement2array( $XMLobject );
+			libxml_disable_entity_loader( $loader );
+			return $return;
 		}
 		return false;
 	}