unitas/net-analyzer/zabbix/files/2.2/patches/zbx8151.patch

54 lines
2.3 KiB
Diff
Raw Normal View History

2014-10-16 09:39:39 +02:00
Index: frontends/php/include/defines.inc.php
===================================================================
--- frontends/php/include/defines.inc.php (revision 46596)
+++ frontends/php/include/defines.inc.php (revision 46655)
@@ -835,6 +835,14 @@
define('ZBX_DEFAULT_IMPORT_HOST_GROUP', 'Imported hosts');
+// XML import flags
+// See ZBX-8151. Old version of libxml suffered from setting DTDLOAD and NOENT flags by default, which allowed
+// performing XXE attacks. Calling libxml_disable_entity_loader(true) also had no affect if flags passed to libxml
+// calls were 0 - so for better security with legacy libxml we need to call libxml_disable_entity_loader(true) AND
+// pass the LIBXML_NONET flag. Please keep in mind that LIBXML_NOENT actually EXPANDS entities, opposite to it's name -
+// so this flag is not needed here.
+define('LIBXML_IMPORT_FLAGS', LIBXML_NONET);
+
// API errors
define('ZBX_API_ERROR_INTERNAL', 111);
define('ZBX_API_ERROR_PARAMETERS', 100);
Index: frontends/php/include/classes/import/readers/CXmlImportReader.php
===================================================================
--- frontends/php/include/classes/import/readers/CXmlImportReader.php (revision 46596)
+++ frontends/php/include/classes/import/readers/CXmlImportReader.php (revision 46655)
@@ -32,7 +32,8 @@
*/
public function read($string) {
libxml_use_internal_errors(true);
- $result = simplexml_load_string($string);
+ libxml_disable_entity_loader(true);
+ $result = simplexml_load_string($string, null, LIBXML_IMPORT_FLAGS);
if (!$result) {
$errors = libxml_get_errors();
libxml_clear_errors();
Index: frontends/php/include/classes/import/CXmlImport18.php
===================================================================
--- frontends/php/include/classes/import/CXmlImport18.php (revision 46596)
+++ frontends/php/include/classes/import/CXmlImport18.php (revision 46655)
@@ -390,12 +390,13 @@
return $array;
}
- public static function import($file) {
+ public static function import($source) {
libxml_use_internal_errors(true);
+ libxml_disable_entity_loader(true);
$xml = new DOMDocument();
- if (!$xml->loadXML($file)) {
+ if (!$xml->loadXML($source, LIBXML_IMPORT_FLAGS)) {
$text = '';
foreach (libxml_get_errors() as $error) {
switch ($error->level) {