--- ZendFramework-1.11.11/library/Zend/XmlRpc/Response.php 2012-07-10 14:56:04.422364249 -0400 +++ ZendFramework-1.11.12/library/Zend/XmlRpc/Response.php 2012-06-19 12:03:28.000000000 -0400 @@ -14,7 +14,7 @@ * * @category Zend * @package Zend_Controller - * @copyright Copyright (c) 2005-2011 Zend Technologies USA Inc. (http://www.zend.com) + * @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com) * @license http://framework.zend.com/license/new-bsd New BSD License */ @@ -35,9 +35,9 @@ * * @category Zend * @package Zend_XmlRpc - * @copyright Copyright (c) 2005-2011 Zend Technologies USA Inc. (http://www.zend.com) + * @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com) * @license http://framework.zend.com/license/new-bsd New BSD License - * @version $Id: Response.php 23775 2011-03-01 17:25:24Z ralph $ + * @version $Id: Response.php 24976 2012-06-19 16:03:28Z matthew $ */ class Zend_XmlRpc_Response { @@ -176,11 +176,15 @@ return false; } + // @see ZF-12293 - disable external entities for security purposes + $loadEntities = libxml_disable_entity_loader(true); + $useInternalXmlErrors = libxml_use_internal_errors(true); try { - $useInternalXmlErrors = libxml_use_internal_errors(true); $xml = new SimpleXMLElement($response); + libxml_disable_entity_loader($loadEntities); libxml_use_internal_errors($useInternalXmlErrors); } catch (Exception $e) { + libxml_disable_entity_loader($loadEntities); libxml_use_internal_errors($useInternalXmlErrors); // Not valid XML $this->_fault = new Zend_XmlRpc_Fault(651); @@ -205,6 +209,7 @@ try { if (!isset($xml->params) || !isset($xml->params->param) || !isset($xml->params->param->value)) { + require_once 'Zend/XmlRpc/Value/Exception.php'; throw new Zend_XmlRpc_Value_Exception('Missing XML-RPC value in XML'); } $valueXml = $xml->params->param->value->asXML(); --- ZendFramework-1.11.11/library/Zend/XmlRpc/Request.php 2011-03-01 12:25:24.000000000 -0500 +++ ZendFramework-1.11.12/library/Zend/XmlRpc/Request.php 2012-06-19 12:03:28.000000000 -0400 @@ -14,7 +14,7 @@ * * @category Zend * @package Zend_Controller - * @copyright Copyright (c) 2005-2011 Zend Technologies USA Inc. (http://www.zend.com) + * @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com) * @license http://framework.zend.com/license/new-bsd New BSD License */ @@ -41,9 +41,9 @@ * * @category Zend * @package Zend_XmlRpc - * @copyright Copyright (c) 2005-2011 Zend Technologies USA Inc. (http://www.zend.com) + * @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com) * @license http://framework.zend.com/license/new-bsd New BSD License - * @version $Id: Request.php 23775 2011-03-01 17:25:24Z ralph $ + * @version $Id: Request.php 24976 2012-06-19 16:03:28Z matthew $ */ class Zend_XmlRpc_Request { @@ -303,12 +303,16 @@ return false; } + // @see ZF-12293 - disable external entities for security purposes + $loadEntities = libxml_disable_entity_loader(true); try { $xml = new SimpleXMLElement($request); + libxml_disable_entity_loader($loadEntities); } catch (Exception $e) { // Not valid XML $this->_fault = new Zend_XmlRpc_Fault(631); $this->_fault->setEncoding($this->getEncoding()); + libxml_disable_entity_loader($loadEntities); return false; }